Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U8fdd#U89c4#U540d#U5355.exe

Overview

General Information

Sample name:#U8fdd#U89c4#U540d#U5355.exe
renamed because original name is a hash value
Original sample name:.exe
Analysis ID:1443624
MD5:5d84e6ed7d8e9b89fae2771d6870393e
SHA1:fee5fe80e8cf95156c1129079747729f9ad54cef
SHA256:193a19a4d22e3f959cd43b0aa05c11a3793283a27f9af95e8d468693277ef128
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Enables network access during safeboot for specific services
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Modifies the windows firewall
Monitors registry run keys for changes
Registers a service to start in safe boot mode
Sample is not signed and drops a device driver
Tries to open files direct via NTFS file id
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Weak or Abused Passwords In CLI
Spawns drivers
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U8fdd#U89c4#U540d#U5355.exe (PID: 7864 cmdline: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe" MD5: 5D84E6ED7D8E9B89FAE2771D6870393E)
    • Dism.exe (PID: 7960 cmdline: dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System" MD5: C100B8F80EE9C3E4D4448634025910B5)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wimserv.exe (PID: 8036 cmdline: wimserv.exe a87a5149-c7b0-4e41-bd88-ef52e4b1f2cb MD5: 7477F87C3C1D7633A0E003BE6AA01020)
    • 7z.exe (PID: 8120 cmdline: C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y MD5: 36A3807A11DF584777165172C71797EE)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 7z.exe (PID: 5640 cmdline: C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -y MD5: 36A3807A11DF584777165172C71797EE)
      • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5872 cmdline: cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 5644 cmdline: netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
    • cmd.exe (PID: 3444 cmdline: cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2744 cmdline: netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
    • systecv3.exe (PID: 6920 cmdline: "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE MD5: B9E0A7CBD7FDB4D179172DBDD453495A)
    • winrdgv3.exe (PID: 7352 cmdline: "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE MD5: 97AC3EF2E098C4CB7DD6EC1D14DC28F1)
    • winrdlv3.exe (PID: 5664 cmdline: "C:\Windows\system32\winrdlv3.exe" SW_HIDE MD5: 0CBEB75D3090054817EA4DF0773AFE35)
    • Dism.exe (PID: 1656 cmdline: Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commit MD5: C100B8F80EE9C3E4D4448634025910B5)
      • conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wimmount.sys (PID: 4 cmdline: MD5: 416B0938189ED0D4A8B5BBBE3F045269)
  • winrdgv3.exe (PID: 5232 cmdline: "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" MD5: 97AC3EF2E098C4CB7DD6EC1D14DC28F1)
    • winrdlv3.exe (PID: 7276 cmdline: C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32 MD5: 0CBEB75D3090054817EA4DF0773AFE35)
      • winrdlv3.exe (PID: 7368 cmdline: C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32 MD5: 0CBEB75D3090054817EA4DF0773AFE35)
        • regsvr32.exe (PID: 2400 cmdline: C:\Windows\system32\regsvr32.exe /s trmenushl64.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • svchost.exe (PID: 1856 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • nwifi.sys (PID: 4 cmdline: MD5: 8CA2DD9A18327EFBD5D7E8E099E36BD4)
  • ndisuio.sys (PID: 4 cmdline: MD5: 09BD40437780ED584D06519373ACEDC7)
  • svchost.exe (PID: 2168 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2780 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -s TermService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6396 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\SysWOW64\winoav3.dllJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    C:\Windows\bakoav3.sysJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: 7z.exe PID: 8120JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: winrdlv3.exe PID: 7368JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.3.7z.exe.31b0000.1.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              20.2.winrdlv3.exe.10000000.1.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

                Sigma Signatures

                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\wimmount.sys, NewProcessName: C:\Windows\System32\drivers\wimmount.sys, OriginalFileName: C:\Windows\System32\drivers\wimmount.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: wimmount.sys
                Sigma detected: Weak or Abused Passwords In CLI
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y, CommandLine: C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\7z.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\7z.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\7z.exe, ParentCommandLine: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe", ParentImage: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe, ParentProcessId: 7864, ParentProcessName: #U8fdd#U89c4#U540d#U5355.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y, ProcessId: 8120, ProcessName: 7z.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, ProcessId: 1856, ProcessName: svchost.exe

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: #U8fdd#U89c4#U540d#U5355.exeVirustotal: Detection: 17%Perma Link
                Source: #U8fdd#U89c4#U540d#U5355.exeReversingLabs: Detection: 23%
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_1f28720f-6
                Source: #U8fdd#U89c4#U540d#U5355.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\LICENSE.electron.txtJump to behavior
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\systecv3.pdb source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\V4\4.73.808.X\4.0.0.31\Bin\Release\winoav3.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinRdgv3.pdb source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000531B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe.0.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinWdgv3.pdb source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, winwdgv3.dll.8.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinWdgv364.pdb source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: H:\WorkshopAgent\DevelopProjX\winrdlv3\Bin\Release\WinRdlv3.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\WorkshopAgent\DevelopProj2\AgentInstaller\Inner\PreRelease\AInstallV3\Bin\Unicode_Release\LInstSvr.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, LInstSvr.exe.6.dr
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: z:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: x:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: v:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: t:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: r:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: p:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: n:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: l:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: j:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: h:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: f:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: d:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: b:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: y:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: w:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: u:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: s:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: q:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: o:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: m:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: k:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: i:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: g:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: e:
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: c:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: a:
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00406006 FindFirstFileA,FindClose,0_2_00406006
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_004055C2 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055C2
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D58C4 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,6_2_001D58C4
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D7635 FindFirstFileW,6_2_001D7635
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005BC1BB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,17_2_005BC1BB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481E70 FindFirstFileA,FindNextFileA,FindClose,17_2_00481E70
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040C0B0 FindFirstFileA,FindNextFileA,FindClose,17_2_0040C0B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482180 FindFirstFileW,FindNextFileW,FindClose,17_2_00482180
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040C2E0 FindFirstFileW,FindNextFileW,FindClose,17_2_0040C2E0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00414440 FindFirstFileW,FindClose,17_2_00414440
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004144B0 FindFirstFileW,FindFirstFileW,17_2_004144B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0048A500 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,17_2_0048A500
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482600 FindFirstFileW,FindNextFileW,SetLastError,FindClose,17_2_00482600
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005BC6D1 FindFirstFileA,FindClose,17_2_005BC6D1
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482A60 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,17_2_00482A60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040EB60 CopyFileA,SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040EB60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040CE50 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,17_2_0040CE50
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00468FC0 GetFileAttributesA,FindFirstFileA,FindClose,CreateFileA,GetFileTime,CloseHandle,GetLocalTime,17_2_00468FC0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481060 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,17_2_00481060
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00483000 FindFirstFileW,FindNextFileW,SetLastError,FindClose,17_2_00483000
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058B0C7 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,17_2_0058B0C7
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040D0B0 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,17_2_0040D0B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004111E0 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,17_2_004111E0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481180 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,17_2_00481180
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004052A0 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,17_2_004052A0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040D450 FindFirstFileW,MoveFileExA,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,17_2_0040D450
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040F400 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040F400
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00483480 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,17_2_00483480
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040DB10 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040DB10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00427B30 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,DeleteFileA,17_2_00427B30
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045A030 FindFirstFileW,FindNextFileW,SetLastError,FindClose,18_2_0045A030
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00458090 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,18_2_00458090
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040A160 FindFirstFileW,FindNextFileW,FindClose,18_2_0040A160
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004581B0 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,18_2_004581B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004122B0 FindFirstFileW,FindClose,18_2_004122B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00412320 FindFirstFileW,FindFirstFileW,18_2_00412320
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045A4B0 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,18_2_0045A4B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00404940 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,18_2_00404940
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040C9E0 SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040C9E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040ACD0 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,18_2_0040ACD0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00458EA0 FindFirstFileA,FindNextFileA,FindClose,18_2_00458EA0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040AF30 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,18_2_0040AF30
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00548FAB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,18_2_00548FAB
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040F060 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,18_2_0040F060
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004591B0 FindFirstFileW,FindNextFileW,FindClose,18_2_004591B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040B2D0 FindFirstFileW,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,18_2_0040B2D0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040D280 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040D280
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_005494C1 FindFirstFileA,FindClose,18_2_005494C1
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00475670 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,18_2_00475670
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00459630 FindFirstFileW,FindNextFileW,SetLastError,FindClose,18_2_00459630
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040B990 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040B990
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00459A90 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,18_2_00459A90
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00409F30 FindFirstFileA,FindNextFileA,FindClose,18_2_00409F30
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017F1D9 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,19_2_1017F1D9
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006B030 FindFirstFileExW,FindFirstFileW,FindNextFileW,SetLastError,FindClose,19_2_1006B030
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1014F097 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,19_2_1014F097
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10069090 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,19_2_10069090
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100150F0 FindFirstFileW,FindClose,19_2_100150F0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10015160 FindFirstFileW,FindFirstFileExW,FindFirstFileW,19_2_10015160
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100691B0 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,19_2_100691B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006B4B0 FindFirstFileW,FindFirstFileExW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,19_2_1006B4B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017F6EF FindFirstFileA,FindClose,19_2_1017F6EF
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000F810 SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_1000F810
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000DB00 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,19_2_1000DB00
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000DD60 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,19_2_1000DD60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10011E90 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,19_2_10011E90
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10069EA0 FindFirstFileA,FindNextFileA,FindClose,19_2_10069EA0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100100B0 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_100100B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000E100 FindFirstFileW,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,19_2_1000E100
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006A1B0 FindFirstFileW,FindNextFileW,FindClose,19_2_1006A1B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006A630 FindFirstFileExW,FindFirstFileW,FindNextFileW,SetLastError,FindClose,19_2_1006A630
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10076630 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,19_2_10076630
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000E7C0 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_1000E7C0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006AA90 FindFirstFileW,FindFirstFileExW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,19_2_1006AA90
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10006B60 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,19_2_10006B60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000CD60 FindFirstFileA,FindNextFileA,FindClose,19_2_1000CD60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000CF90 FindFirstFileW,FindNextFileW,FindClose,19_2_1000CF90
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D62DF __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,6_2_001D62DF
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 4x nop then sub esp, 00000110h18_2_0041400B
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]18_2_0049305C

                Networking

                barindex
                Enables network access during safeboot for specific services
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry value created: NULL Service
                Source: global trafficTCP traffic: 192.168.2.11:49711 -> 45.125.48.89:8237
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628944513.0000000010C34000.00000008.00000001.01000000.00000014.sdmpString found in binary or memory: http://.exe890830CWinPatchInstaller::AddTask
                Source: winrdlv3.exe, 00000013.00000002.2620234829.0000000000562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTru
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: winrdgv3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.dp)
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                Source: #U8fdd#U89c4#U540d#U5355.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0L
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0N
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                Source: winrdlv3.exe, 00000013.00000002.2620234829.0000000000562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dig.
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, systecv3.exe, 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000000.1438557027.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1496088763.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000012.00000000.1442175571.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdlv3.exe, 00000013.00000002.2623324896.000000001019F000.00000002.00000001.01000000.00000013.sdmp, winrdlv3.exe, 00000014.00000002.2627709420.0000000010991000.00000002.00000001.01000000.00000014.sdmp, winrdgv3.exe, 00000015.00000002.1470129657.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000015.00000000.1449479022.0000000000566000.00000002.00000001.01000000.00000011.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000527C000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.drString found in binary or memory: http://www.openssl.org/support/faq.html
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000000.1438557027.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1496088763.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000012.00000000.1442175571.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdlv3.exe, 00000013.00000002.2623324896.000000001019F000.00000002.00000001.01000000.00000013.sdmp, winrdlv3.exe, 00000014.00000002.2627709420.0000000010991000.00000002.00000001.01000000.00000014.sdmp, winrdgv3.exe, 00000015.00000002.1470129657.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000015.00000000.1449479022.0000000000566000.00000002.00000001.01000000.00000011.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000527C000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.dr, winwdgv3.dll.8.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
                Source: winrdgv3.exe, 00000012.00000002.1497543172.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/
                Source: winrdgv3.exe, 00000012.00000002.1497543172.00000000010F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/=C:
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1484600965.0000000000649000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1483899194.000000000066E000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486796477.0000000000649000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486891079.0000000000676000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1487022338.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000455C000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003125000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/N
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/w
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/xE
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2629479273.0000000010CAA000.00000008.00000001.01000000.00000014.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                Source: servicephqghume_2023_09_23.log.0.drString found in binary or memory: https://st.todesk.com/config-center/sync-config?fullUpdate=false
                Source: servicephqghume_2023_09_23.log.0.drString found in binary or memory: https://st.todesk.com/config-center/sync-config?fullUpdate=true
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: https://www.globalsign.com/repository/0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: https://www.globalsign.com/repository/06
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040512B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040512B
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0049E750 GetTickCount,GetVersion,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,18_2_0049E750
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0054E35C GetKeyState,GetKeyState,GetKeyState,GetKeyState,18_2_0054E35C
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00417EB0 OpenProcess,OpenProcess,OpenProcess,OpenProcess,NtQueryInformationProcess,CloseHandle,17_2_00417EB0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A6280 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,17_2_004A6280
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00410AA0 NtQuerySystemInformation,NtQuerySystemInformation,17_2_00410AA0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0048AD90 LoadLibraryW,LoadLibraryA,NtCreateFile,NtOpenFile,NtClose,NtReadFile,NtWriteFile,NtQueryInformationFile,NtSetInformationFile,NtDeleteFile,17_2_0048AD90
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00407360 NtOpenSymbolicLinkObject,NtClose,NtQuerySymbolicLinkObject,NtClose,17_2_00407360
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0047C080 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,18_2_0047C080
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045E580 LoadLibraryW,LoadLibraryA,NtCreateFile,NtOpenFile,NtClose,NtReadFile,NtWriteFile,NtQueryInformationFile,NtSetInformationFile,NtDeleteFile,18_2_0045E580
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040E920 NtQuerySystemInformation,NtQuerySystemInformation,18_2_0040E920
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1001DBF0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtQuerySystemInformation,NtQueryInformationProcess,EnumProcesses,GetModuleFileNameExA,GetModuleFileNameExW,ProcessIdToSessionId,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,19_2_1001DBF0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100186A0 NtQuerySystemInformation,NtQuerySystemInformation,19_2_100186A0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10093100 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,19_2_10093100
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10011750 NtQuerySystemInformation,NtQuerySystemInformation,19_2_10011750
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100785F0 LoadLibraryW,LoadLibraryA,NtCreateFile,NtOpenFile,NtClose,NtReadFile,NtWriteFile,NtQueryInformationFile,NtSetInformationFile,NtDeleteFile,19_2_100785F0
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D66A9: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,6_2_001D66A9
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0041E220 OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateProcessA,WaitForSingleObject,GetWindowsDirectoryA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,MoveFileA,CopyFileA,GetFileAttributesA,CopyFileA,CopyFileA,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegSetValueExA,RegCloseKey,ShellExecuteA,17_2_0041E220
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004102B0 CreateProcessAsUserW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,17_2_004102B0
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040323B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323B
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\system32\winwdgv364.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\OAgent.iniJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\msoapphash5.datJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\msodhash3.datJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\AgentTaskJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\AgentTask\AgentTaskList.datJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\win.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdlv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakstec3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv364.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\LInstSvr.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakrdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakstec3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winoav3.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winrdlv3.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winwdgv3.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeFile created: C:\Windows\SysWOW64\OcularJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeFile created: C:\Windows\SysWOW64\Ocular3PathJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msoapphash5.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msodhash3.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\OAgent.ini
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Mails
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Files
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Temp
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\WinPatch
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Deploy
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Rtft
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\FtTemp
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Dump
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\PrintData
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Screen
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Data
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Asset
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TSafeDoc
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\SurvData
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Policy
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\AgentTask
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS\TKSMatch
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS\TKSTemp
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\OAgentTray
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\BroHistory
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\OBtEmulator
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Download
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\SCDT
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\SCDT\DocLog
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular3Path\SCDT
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular3Path\SCDT\SetupAppTemp
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent\7368
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_1_3_41
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_2_3_18467
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_3_3_6334
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886562_4_3_26500
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msagentclass.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_10_4890750_1_3_41
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msmidtierserverclass_cache3.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msmailboxcalss_cache.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msmailboxidentify_cache.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass_cache2.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\OPolicy.ini
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_12_4892671_3_3_18467
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_14_4895046_5_3_6334
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_16_4897140_7_3_26500
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile deleted: C:\Windows\win.iniJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040496A0_2_0040496A
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00406C040_2_00406C04
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040642D0_2_0040642D
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D82586_2_001D8258
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001E42706_2_001E4270
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_00204E916_2_00204E91
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_00204F6B6_2_00204F6B
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D15536_2_001D1553
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D17516_2_001D1751
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001F59DD6_2_001F59DD
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001E3CA16_2_001E3CA1
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001E5DDB6_2_001E5DDB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058081017_2_00580810
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0048E3C017_2_0048E3C0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004465FC17_2_004465FC
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004206D017_2_004206D0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058C8C017_2_0058C8C0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0046894017_2_00468940
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A090017_2_004A0900
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00594B1017_2_00594B10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058EE9017_2_0058EE90
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00590F2017_2_00590F20
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004CF11017_2_004CF110
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058F47017_2_0058F470
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0046B40017_2_0046B400
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0046F59017_2_0046F590
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043964217_2_00439642
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0044D6C917_2_0044D6C9
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043981F17_2_0043981F
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A995017_2_004A9950
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A9AC017_2_004A9AC0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00593AE017_2_00593AE0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00463CD017_2_00463CD0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0041C1AF18_2_0041C1AF
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004802E018_2_004802E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004463E018_2_004463E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0048045018_2_00480450
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0054464018_2_00544640
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0047E73018_2_0047E730
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00496A8818_2_00496A88
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00496AA618_2_00496AA6
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00498FF018_2_00498FF0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0047344018_2_00473440
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004975C018_2_004975C0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004298AE18_2_004298AE
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_005159C018_2_005159C0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0054BAE718_2_0054BAE7
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004A5AA018_2_004A5AA0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0051FBC018_2_0051FBC0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0042FB8418_2_0042FB84
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00541F1018_2_00541F10
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0041BFD218_2_0041BFD2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005633AE19_3_005633AE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005633AE19_3_005633AE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005633AE19_3_005633AE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005633AE19_3_005633AE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_00403A5219_2_00403A52
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1002D10E19_2_1002D10E
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017932019_2_10179320
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100573E019_2_100573E0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1008D51019_2_1008D510
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100BB9B019_2_100BB9B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10077A6019_2_10077A60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10139DE019_2_10139DE0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_101440B019_2_101440B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100961F019_2_100961F0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1015022019_2_10150220
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017A35019_2_1017A350
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1009636019_2_10096360
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1003A7EE19_2_1003A7EE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017484019_2_10174840
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10040B3619_2_10040B36
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10174E2019_2_10174E20
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1002CF3119_2_1002CF31
                Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Common Files\System\winrdgv3.exe A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                Source: C:\Windows\SysWOW64\Dism.exeProcess token adjusted: Load DriverJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeProcess token adjusted: SecurityJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00449C10 appears 51 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 0041A810 appears 34 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00420F18 appears 67 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 0047F5A0 appears 111 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 004780A0 appears 45 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00481230 appears 83 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00420340 appears 119 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00419E70 appears 70 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 1005AC10 appears 51 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 1014FF83 appears 31 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 100954B0 appears 88 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10026EC0 appears 34 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10030C50 appears 83 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10097140 appears 58 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 1008F120 appears 45 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10026320 appears 314 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10032208 appears 58 times
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: String function: 00204970 appears 386 times
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: String function: 001D1AB0 appears 90 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 004A2510 appears 45 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 00472BE0 appears 51 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 0058C4F3 appears 33 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 0043D230 appears 82 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 0043ED58 appears 59 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 004AA8A0 appears 58 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 004A8C10 appears 88 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 004245B0 appears 462 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 00432170 appears 34 times
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1484600965.0000000000649000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRdgV3.exe vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %s\user.exe%xInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\Language\Common Files\Program FilesProgramFilesDirCommentsLegalTrademarksLegalCopyrightOriginalFilenameInternalNameFileDescriptionProductNameCompanyNameEnumResourceLanguagesExW%04x%04xStringFileInfoVS_VERSION_INFOTranslationVarFileInfoFileVersion%d%s%d%s%d%s%dProductVersiondll`= vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesystecv3.exe vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1483899194.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinrdlv3.exe: vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486796477.0000000000649000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRdgV3.exe vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486891079.0000000000676000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinrdlv3.exe: vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZmInformationNtQuerySysteodeThreadGetExitCeHandleAGetModulFICuctionCacheFlushInstrSTCdContextSetThreaGTCdContextGetThreaessMemoryWriteProcessMemoryReadProcVPErotectExVirtualPlFreeExVirtuaAllocExVirtualoteThreadCreateRemRTThreadResumedThreadSuspenhreadOpenTrocessOpenPtdetourCommentsLegalTrademarksLegalCopyrightOriginalFilenameInternalNameFileDescriptionProductNameCompanyNamedllEnumResourceLanguagesExW%04x%04xStringFileInfoVS_VERSION_INFOTranslationVarFileInfoFileVersion%d%s%d%s%d%s%dProductVersion][ vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRdgV3.exe vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1487022338.00000000006D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinrdlv3.exe: vs #U8fdd#U89c4#U540d#U5355.exe
                Source: unknownDriver loaded: C:\Windows\System32\drivers\wimmount.sys
                Source: #U8fdd#U89c4#U540d#U5355.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: systecv3.exe.5.drBinary string: ^.PAVCException@@CUpAgentFileMgr::InstallZIPDatFile 4 [%s] [%d] [%d]%s\newtemp_%dCUpAgentFileMgr::InstallZIPDatFile 3 [%d]CUpAgentFileMgr::InstallZIPDatFile 2 [i=%d] [%s] [%d] [%d] [%d]CUpAgentFileMgr::InstallZIPDatFile 1 [%s] [%d]CUpAgentFileMgr::RestoreInstallZIPDatFiles 2RestoreFils ZIPDATFiles check [i=%d] [%d] [%s]RestoreFils ZIPDATFiles [i=%d] [%s %s]CUpAgentFileMgr::RestoreInstallZIPDatFiles 1 [%d][%d]TEC_OCULAR__AGENT_V3_MUTEX_AGENTCUpAgentFileMgr::CheckFilesVer [%s][%s]\Device\TSafeDiskVolumeQueryServiceStatusExChangeServiceConfig2WChangeServiceConfig2AQueryServiceConfig2WQueryServiceConfig2AFreeSidEqualPrefixSidEqualSidCopySidConvertStringSecurityDescriptorToSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorAConvertStringSidToSidWConvertStringSidToSidACreateProcessWithTokenWCreateProcessWithLogonWCreateProcessAsUserWCreateProcessAsUserALogonUserWLogonUserARevertToSelfImpersonateLoggedOnUserImpersonateNamedPipeClientImpersonateAnonymousTokenAdjustTokenPrivilegesLookupPrivilegeDisplayNameWLookupPrivilegeDisplayNameALookupPrivilegeNameWLookupPrivilegeNameALookupPrivilegeValueWLookupPrivilegeValueALookupAccountSidWLookupAccountSidALookupAccountNameWLookupAccountNameASetSecurityDescriptorSaclGetSecurityDescriptorSaclSetSecurityDescriptorOwnerGetSecurityDescriptorOwnerSetSecurityDescriptorGroupGetSecurityDescriptorGroupSetSecurityDescriptorDaclGetSecurityDescriptorDaclSetAclInformationGetAclInformationSetKernelObjectSecurityGetKernelObjectSecurityRegSetKeySecurityRegGetKeySecuritySetFileSecurityWSetFileSecurityAGetFileSecurityWGetFileSecurityASetTokenInformationGetTokenInformationDuplicateTokenExDuplicateTokenOpenProcessTokenSetThreadTokenOpenThreadTokenadvapi32.dll
                Source: systecv3.exe.5.drBinary string: %sKEYWORDPROCESSDSTADBGINFOMAXRESERVELASTLOGTIMEMAXLOGCOUNTTARGETLEVELISLOGResetCfg2 2 [%s]OcularLogResetCfg2 1 TODAYLOG_%s%luTODAYLOGTIME_A:%s%s%c:\Device\Mup\\Device\LanmanRedirector\\\%s\??\UNC\AgentConfigsoftware\TEC\Ocular.3\AgentWow64RevertWow64FsRedirectionWow64DisableWow64FsRedirectionKernel32.dllX
                Source: winwdgv3.dll.8.drBinary string: SYSTEM\CurrentControlSet\Services\TcpipLinkageParametersInterfacesEnableSecurityFiltersBindTCPAllowedPortsUDPAllowedPorts\Device\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers0HashesPathsItemDataItemSize%HKEY_Winhlpsvrwinrdgv3.exe
                Source: winwdgv3.dll.8.drBinary string: egsvr32 /s "%s"CMonitorThread::RestoreFiles 7CMonitorThread::RestoreFiles 6 [%lu]CMonitorThread::RestoreFiles 5 [%lu] [%lu]CMonitorThread::RestoreFiles 4 [%lu] [%lu] [%lu]disfunc_astacomdlldisfunc_allCMonitorThread::RestoreFiles 3-3 [%lu] [%lu] [fast=%lu] [%lu] [%lu] [%lu]CMonitorThread::RestoreFiles 3CMonitorThread::RestoreFiles 204CMonitorThread::RestoreFiles 203CMonitorThread::RestoreFiles 202CMonitorThread::RestoreFiles 201CMonitorThread::RestoreFiles 2013CMonitorThread::RestoreFiles 2012CMonitorThread::RestoreFiles 2011CMonitorThread::RestoreFiles 200CMonitorThread::RestoreFiles #1CMonitorThread::RestoreFiles 2phah cycle lengthen [%d] [%08x]bakhadntv.sysCMonitorThread::RestoreFiles 1-2 [%d]CMonitorThread::RestoreFiles 1-1-2 [%d]CMonitorThread::RestoreFiles 1-1-1 [%d] [%d] [%d] [%d]CMonitorThread::RestoreFiles 1-1 [%d] [%d] [%d] [%d]CMonitorThread::RestoreFiles 1CMonitorThread::RestoreFiles [-----]TEC_OCULAR__AGENT_V3_MUTEX_AGENTTEC_OCULAR__AGENT_V3_MUTEX_WINWDGSVRCMonitorThread::StartService2 6CMonitorThread::StartService2 5CMonitorThread::StartService2 4CMonitorThread::StartService2 3CMonitorThread::StartService2 2CMonitorThread::StartService2 1CMonitorThread::MonitorService 6CMonitorThread::MonitorService 5CMonitorThread::MonitorService 4CMonitorThread::MonitorService 3CMonitorThread::MonitorService 2CMonitorThread::MonitorService 1CMonitorThread::MonitorWinwdgsvr 5CMonitorThread::MonitorWinwdgsvr 4CMonitorThread::MonitorWinwdgsvr 3CMonitorThread::MonitorWinwdgsvr 2CMonitorThread::MonitorWinwdgsvr 1 [%lu]CMonitorThread::MonitorAgent 14CMonitorThread::MonitorAgent 13CMonitorThread::MonitorAgent 12CMonitorThread::MonitorAgent 11CMonitorThread::MonitorAgent 10CMonitorThread::MonitorAgent 9CMonitorThread::MonitorAgent 8CMonitorThread::MonitorAgent 7AgentProcIDCMonitorThread::MonitorAgent 6CMonitorThread::MonitorAgent 5CMonitorThread::MonitorAgent 4CMonitorThread::MonitorAgent 3CMonitorThread::MonitorAgent 2CMonitorThread::MonitorAgent 1 [%lu]CMonitorThread::V3BetaMonitor 9CMonitorThread::V3BetaMonitor 8CMonitorThread::V3BetaMonitor 7CMonitorThread::V3BetaMonitor 6CMonitorThread::V3BetaMonitor 5CMonitorThread::V3BetaMonitor 4CMonitorThread::V3BetaMonitor 3CMonitorThread::V3BetaMonitor 2CMonitorThread::V3BetaMonitor 1CMonitorThread::V3BetaMonitor 0 bDisMonitorService[%lu] bDisMonitorAgent[%lu] bSXDebug[%lu]LEGACY_.WINHLPSVR\0000CSConfigFlagsSYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOTTrdDLCheckerCAgent::KillAgentSelf [pid=%d][%s] [runas=%s]taskkill_agentOAGENT3CMonitorThread::RestoreMemSocketEx [running=%d] [num=%d]restore_MemSocketExProcess32NextProcess32FirstCreateToolhelp32SnapshotQueryFullProcessImageNameWGetProcessImageFileNameWIsWow64ProcessGetModuleFileNameExWNtWow64ReadVirtualMemory64NtReadVirtualMemoryNtWow64QueryInformationProcess64NtQueryInformationProcessNtQuerySystemInformationNtDll.dllSeDebugPrivilegeSeTcbPrivilegeIExplore.exeExplorer.exeCProcMgr::GetProcessPathW [=====] [%d] [%s]CProcMgr::
                Source: winwdgv3.dll.8.drBinary string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:%sCertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecurity::AddAccountMask [####] [ret: %d] [Path: %s] [Name: %s] [Mask: %08x] [Sid: %08x]CKSecurity::AddAccountMask2 [####] [ret: %d] [Path: %s] [Mask: %08x] [Name: %s] [Sid: %08x]NULLCKSecurity::AddEveryoneMask [####] [ret: %d] [Path: %s] [Mask: %08x] [Sid: %08x]S-1-15-2-1S-1-15-2-2CKSecurity::AddAccountMask [####] [Sel] [ret: %d] [myerror: %d] [Path: %s] [Mask: %08x] [Sid: %08x]CKSecurity::GetSid [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetSid2 [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetEveryoneSid [####] [ret: %d] [myerror: %d] [Sid: %08x]S-1-1-0CKSecurity::GetSd [####] [ret: %d] [myerror: %d] [Path: %s] [Sd: %08x]CKSecurity::SetSd [####] [ret: %d] [Path: %s] [Sd: %08x]CKSecurity::IsDenyInSd [####] [ret: %d] [myerror: %d] [Sd: %08x]CKSecurity::IsInSd [####] [ret: %d] [myerror: %d] [Sd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopySd [####] [ret: %d] [myerror: %d] [SrcSd: %08x] [DstSd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::GetAcl [####] [ret: %d] [Sd: %08x] [Acl: %08x] [b: %08x]CKSecurity::SetAcl [####] [ret: %d] [Acl: %08x] [Sd: %08x]CKSecurity::CopyAcl [####] [ret: %d] [myerror: %d] [Sd: %08x] [Acl: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopyAcl [####] [Inner] [ret: %d] [myerror: %d] [SrcAcl: %08x] [DstAcl: %08x] [b: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::IsDenyInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Index: %d]CKSecurity::IsInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Si
                Source: winwdgv3.dll.8.drBinary string: windows 10 windows server 2016 windows server 2008 Pro N EditionMobile Enterprise EditionMobile EditionIoT IoT Core Commercial EditionIoT Core EditionEnterprise 2015 LTSB N Evaluation EditionEnterprise 2015 LTSB N EditionEnterprise 2015 LTSB Evaluation EditionEnterprise 2015 LTSB EditionEnterprise N Evaluation EditionEnterprise N EditionEnterprise Evaluation EditionEnterprise E EditionEducation N EditionHome Single Language EditionHome N EditionEducation EditionHome EditionEssential Server EditionMultiPoint Server EditionSolutions Server EditionProfessional EditionServer for Small Business EditionStorage Server Enterprise EditionStorage Server Workgroup EditionStorage Server Standard EditionStorage Server Express EditionHome Premium Server EditionHome Server EditionWeb Server EditionStandard Edition (core installation)Standard EditionSmall Business Server Premium EditionSmall Business ServerEnterprise Edition for Itanium-based SystemsEnterprise Edition (core installation)Datacenter Edition (core installation)Datacenter EditionCluster Server EditionStarter EditionBusiness EditionEnterprise EditionHome Basic EditionHome Premium EditionUltimate EditionWindows Server 2022Windows Server 2019Windows Server 2016Windows 11Windows 10Windows 8.1Windows Server 2012 R2Windows 8Windows Server 2012Windows 7Windows Server 2008 R2Windows Server 2008Windows VistaWindows 2003 R2Windows 2003Windows XPWindows 2000Windows NT4Windows MEWindows 98Windows 95RtlGetVersionNtdll.dllGetProductInfoGetNativeSystemInfoProductNameSOFTWARE\Microsoft\Windows NT\CurrentVersion%d.%dCurrentVersionCurrentMinorVersionNumberCurrentMajorVersionNumberWindows UnknownServer EditionProfessionalUnknown architectureIA6464-bit32-bit, GlobalGlobalLocalNETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\NETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\\Device\Harddisk\\.\UNC\\\?\UNC\\??\UNC\\\.\UNC\\??\UNC\\??\%s\??\UNC\%s\\%s\Device\LanmanRedirector\\??\shadow\c:\program files\commom filesc:\program files\commom filesCommonFilesDirSoftware\Microsoft\Windows\CurrentVersionc:\program files (x86)\commom filesc:\program files (x86)\commom filesALLUSERSPROFILEALLUSERSPROFILEUSERPROFILEUSERPROFILE%s(%d)%s%s(%d)%s**\
                Source: winrdgv3.exe.0.drBinary string: \Device\Harddisk
                Source: winwdgv3.dll.8.drBinary string: \Device\TSafeDiskVolume
                Source: winwdgv3.dll.8.drBinary string: .PAVCException@@CUpAgentFileMgr::InstallZIPDatFile 4 [%s] [%d] [%d]%s\newtemp_%dCUpAgentFileMgr::InstallZIPDatFile 3 [%d]CUpAgentFileMgr::InstallZIPDatFile 2 [i=%d] [%s] [%d] [%d] [%d]CUpAgentFileMgr::InstallZIPDatFile 1 [%s] [%d]CUpAgentFileMgr::RestoreInstallZIPDatFiles 2RestoreFils ZIPDATFiles check [i=%d] [%d] [%s]RestoreFils ZIPDATFiles [i=%d] [%s %s]bakCertList.datbakThirdPartyLib.datbakDWM.datbakTKSPack.datbakCameraPack.datbakTStartMenu.datCUpAgentFileMgr::RestoreInstallZIPDatFiles 1 [%d][%d]CUpAgentFileMgr::CheckFilesVer [%s][%s]\Device\TSafeDiskVolumeRunMonitor32 (%d)RunMonitor32 [msgwait = %08x] [%08x]
                Source: systecv3.exe.5.drBinary string: l]c}`]cwindows 10 windows server 2016 windows server 2008 Pro N EditionMobile Enterprise EditionMobile EditionIoT IoT Core Commercial EditionIoT Core EditionEnterprise 2015 LTSB N Evaluation EditionEnterprise 2015 LTSB N EditionEnterprise 2015 LTSB Evaluation EditionEnterprise 2015 LTSB EditionEnterprise N Evaluation EditionEnterprise N EditionEnterprise Evaluation EditionEnterprise E EditionEducation N EditionHome Single Language EditionHome N EditionEducation EditionHome EditionEssential Server EditionMultiPoint Server EditionSolutions Server EditionProfessional EditionServer for Small Business EditionStorage Server Enterprise EditionStorage Server Workgroup EditionStorage Server Standard EditionStorage Server Express EditionHome Premium Server EditionHome Server EditionWeb Server EditionStandard Edition (core installation)Standard EditionSmall Business Server Premium EditionSmall Business ServerEnterprise Edition for Itanium-based SystemsEnterprise Edition (core installation)Datacenter Edition (core installation)Datacenter EditionCluster Server EditionStarter EditionBusiness EditionEnterprise EditionHome Basic EditionHome Premium EditionUltimate EditionWindows Server 2022Windows Server 2019Windows Server 2016Windows 11Windows 10Windows 8.1Windows Server 2012 R2Windows 8Windows Server 2012Windows 7Windows Server 2008 R2Windows Server 2008Windows VistaWindows 2003 R2Windows 2003Windows XPWindows 2000Windows NT4Windows MEWindows 98Windows 95RtlGetVersionNtdll.dllGetProductInfoGetNativeSystemInfoProductNameSOFTWARE\Microsoft\Windows NT\CurrentVersion%d.%dCurrentVersionCurrentMinorVersionNumberCurrentMajorVersionNumberWindows UnknownServer EditionProfessionalUnknown architectureIA6464-bit32-bit, \VarFileInfo\TranslationGlobalGlobalLocalNETWORK SERVICELOCAL SERVICEFont Driver Host\Window Manager\NT AUTHORITY\NETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\\Device\Harddisk\\.\UNC\\\?\UNC\\??\UNC\\\.\UNC\\??\%s\??\UNC\%s\??\shadow\c:\program files\commom filesc:\program files\commom filesCommonFilesDirSoftware\Microsoft\Windows\CurrentVersionc:\program files (x86)\commom filesc:\program files (x86)\commom filesALLUSERSPROFILEALLUSERSPROFILEUSERPROFILEUSERPROFILE%s(%d)%s%s(%d)%s*
                Source: winrdgv3.exe.0.drBinary string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:CertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecurity::AddAccountMask [####] [ret: %d] [Path: %s] [Name: %s] [Mask: %08x] [Sid: %08x]CKSecurity::AddAccountMask2 [####] [ret: %d] [Path: %s] [Mask: %08x] [Name: %s] [Sid: %08x]NULLCKSecurity::AddEveryoneMask [####] [ret: %d] [Path: %s] [Mask: %08x] [Sid: %08x]S-1-15-2-1S-1-15-2-2CKSecurity::AddAccountMask [####] [Sel] [ret: %d] [myerror: %d] [Path: %s] [Mask: %08x] [Sid: %08x]CKSecurity::GetSid [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetSid2 [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetEveryoneSid [####] [ret: %d] [myerror: %d] [Sid: %08x]S-1-1-0CKSecurity::GetSd [####] [ret: %d] [myerror: %d] [Path: %s] [Sd: %08x]CKSecurity::SetSd [####] [ret: %d] [Path: %s] [Sd: %08x]CKSecurity::IsDenyInSd [####] [ret: %d] [myerror: %d] [Sd: %08x]CKSecurity::IsInSd [####] [ret: %d] [myerror: %d] [Sd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopySd [####] [ret: %d] [myerror: %d] [SrcSd: %08x] [DstSd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::GetAcl [####] [ret: %d] [Sd: %08x] [Acl: %08x] [b: %08x]CKSecurity::SetAcl [####] [ret: %d] [Acl: %08x] [Sd: %08x]CKSecurity::CopyAcl [####] [ret: %d] [myerror: %d] [Sd: %08x] [Acl: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopyAcl [####] [Inner] [ret: %d] [myerror: %d] [SrcAcl: %08x] [DstAcl: %08x] [b: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::IsDenyInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Index: %d]CKSecurity::IsInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Sid:
                Source: winrdgv3.exe.0.drBinary string: lZ}`Zwindows 10 windows server 2016 windows server 2008 Pro N EditionMobile Enterprise EditionMobile EditionIoT IoT Core Commercial EditionIoT Core EditionEnterprise 2015 LTSB N Evaluation EditionEnterprise 2015 LTSB N EditionEnterprise 2015 LTSB Evaluation EditionEnterprise 2015 LTSB EditionEnterprise N Evaluation EditionEnterprise N EditionEnterprise Evaluation EditionEnterprise E EditionEducation N EditionHome Single Language EditionHome N EditionEducation EditionHome EditionEssential Server EditionMultiPoint Server EditionSolutions Server EditionProfessional EditionServer for Small Business EditionStorage Server Enterprise EditionStorage Server Workgroup EditionStorage Server Standard EditionStorage Server Express EditionHome Premium Server EditionHome Server EditionWeb Server EditionStandard Edition (core installation)Standard EditionSmall Business Server Premium EditionSmall Business ServerEnterprise Edition for Itanium-based SystemsEnterprise Edition (core installation)Datacenter Edition (core installation)Datacenter EditionCluster Server EditionStarter EditionBusiness EditionEnterprise EditionHome Basic EditionHome Premium EditionUltimate EditionWindows Server 2022Windows Server 2019Windows Server 2016Windows 11Windows 10Windows 8.1Windows Server 2012 R2Windows 8Windows Server 2012Windows 7Windows Server 2008 R2Windows Server 2008Windows VistaWindows 2003 R2Windows 2003Windows XPWindows 2000Windows NT4Windows MEWindows 98Windows 95RtlGetVersionNtdll.dllGetProductInfoGetNativeSystemInfoProductNameSOFTWARE\Microsoft\Windows NT\CurrentVersion%d.%dCurrentVersionCurrentMinorVersionNumberCurrentMajorVersionNumberWindows UnknownServer EditionProfessionalUnknown architectureIA6464-bit32-bit, \VarFileInfo\TranslationGlobalGlobalLocalNETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\NETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\\Device\Harddisk\\.\UNC\\\?\UNC\\??\UNC\\SystemRoot\\Device\Harddisk\\.\UNC\\??\UNC\\SystemRoot\\??\%s\??\UNC\%s\\%s\Device\LanmanRedirector\\??\shadow\c:\program files\commom filesc:\program files\commom filesCommonFilesDirSoftware\Microsoft\Windows\CurrentVersionc:\program files (x86)\commom filesc:\program files (x86)\commom filesALLUSERSPROFILEALLUSERSPROFILEUSERPROFILEUSERPROFILE%s(%d)%s%s(%d)%s**%s
                Source: winrdgv3.exe.0.drBinary string: \Device\
                Source: classification engineClassification label: mal100.evad.winEXE@42/95@0/1
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00414F70 GetLastError,FormatMessageA,LocalFree,18_2_00414F70
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001DD6A9 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_001DD6A9
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D7E8E _fileno,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,6_2_001D7E8E
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00489C90 LookupPrivilegeValueW,AdjustTokenPrivileges,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,17_2_00489C90
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040AB10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,17_2_0040AB10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040ABD0 LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,17_2_0040ABD0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00408990 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,18_2_00408990
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00408A50 LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,18_2_00408A50
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000B7C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,19_2_1000B7C0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000B880 LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,19_2_1000B880
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10075DC0 LookupPrivilegeValueW,AdjustTokenPrivileges,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,19_2_10075DC0
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040442E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040442E
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateProcessA,WaitForSingleObject,GetWindowsDirectoryA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,MoveFileA,CopyFileA,GetFileAttributesA,CopyFileA,CopyFileA,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegSetValueExA,RegCloseKey,ShellExecuteA,17_2_0041E220
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: OpenSCManagerA,GetLastError,LockServiceDatabase,GetLastError,OpenServiceA,GetLastError,OpenSCManagerA,GetLastError,LockServiceDatabase,GetLastError,CreateServiceA,ChangeServiceConfig2W,GetLastError,GetLastError,CloseServiceHandle,CloseServiceHandle,UnlockServiceDatabase,CloseServiceHandle,17_2_005498B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: OpenSCManagerA,LockServiceDatabase,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,UnlockServiceDatabase,CloseServiceHandle,17_2_0042B950
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetModuleFileNameA,RegCreateKeyA,RegSetValueExA,RegCloseKey,OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,18_2_004140E0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetTickCount,OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,GetLastError,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegQueryValueExA,RegSetValueExA,RegCloseKey,19_2_1001A2F0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: OpenSCManagerA,GetLastError,LockServiceDatabase,GetLastError,OpenServiceA,GetLastError,OpenSCManagerA,GetLastError,LockServiceDatabase,GetLastError,CreateServiceA,ChangeServiceConfig2W,GetLastError,GetLastError,CloseServiceHandle,CloseServiceHandle,UnlockServiceDatabase,CloseServiceHandle,19_2_10070340
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1002B770 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,19_2_1002B770
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0045A260 FindResourceExA,LoadResource,17_2_0045A260
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0041E220 OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateProcessA,WaitForSingleObject,GetWindowsDirectoryA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,MoveFileA,CopyFileA,GetFileAttributesA,CopyFileA,CopyFileA,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegSetValueExA,RegCloseKey,ShellExecuteA,17_2_0041E220
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0041400B StartServiceCtrlDispatcherA,18_2_0041400B
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Program Files (x86)\Common Files\System\systecv3.exeJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_agentinfoid
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_AGENTTASKLOG.DAT
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDG32_2
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDG32_1
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Local\TEC_HOOKAPI_TSCDT_STATE_LOCK_LOCAL__SPECIAL_PATH
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR_DRV_LOCK
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_SERVER_TIME_4890671_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_agentips
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_MSOOLDDEV.DAT
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_WINRDG32
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR_V3_FMB_LOCKNAME_APPKEY_
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_hookapi_url_specialbrowser
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_OAGENTL.HLP
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_AGENTTASKLIST.DAT
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_DISABLE_NETWORK_CARD_IP_4885093_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_ipclass_range
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Local\TEC_HOOKAPI_TSCDT_STATE_LOCK_LOCAL
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_LOCAL_VOLUMES_MSG_4885093_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_serverports
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Local\TEC_OCULAR__AGENT_V3_MUTEX_AGENT_pid7368
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_intranetips
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_OPOLICY.INI
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_MSMIDTIERSERVERCLASS3.DAT
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_portclass_range
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\SECURITYUDISK_LOG_MUTEX
                Source: C:\Windows\System32\wimserv.exeMutant created: \Sessions\1\BaseNamedObjects\Global\SINGLEINSTANCE-a87a5149-c7b0-4e41-bd88-ef52e4b1f2cb
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_HOOKAPI_TSCDT_TOBETARPROC_LOCK_GLOBAL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1104:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDGSVR
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_AGENT_SHARELISTIDX_1_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_MSMIDTIERSERVERCLASS_CACHE3.DAT
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_SERVER_TIME_4951187_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_HOOKAPI_TSCDT_PROCINFO_LOCK_GLOBAL
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_AGENT
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_OAGENT.INI
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\L_-1
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_localips
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\OAV3_XMsgFrame_NAMETABLEMAP_MapLock
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsw5B08.tmpJump to behavior
                Source: #U8fdd#U89c4#U540d#U5355.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: #U8fdd#U89c4#U540d#U5355.exeVirustotal: Detection: 17%
                Source: #U8fdd#U89c4#U540d#U5355.exeReversingLabs: Detection: 23%
                Source: systecv3.exeString found in binary or memory: set-addPolicy
                Source: systecv3.exeString found in binary or memory: id-cmc-addExtensions
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile read: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System"
                Source: C:\Windows\SysWOW64\Dism.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\Dism.exeProcess created: C:\Windows\System32\wimserv.exe wimserv.exe a87a5149-c7b0-4e41-bd88-ef52e4b1f2cb
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y
                Source: C:\Users\user\AppData\Local\Temp\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -y
                Source: C:\Users\user\AppData\Local\Temp\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\systecv3.exe "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE
                Source: unknownProcess created: C:\Program Files (x86)\Common Files\System\winrdgv3.exe "C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\winrdgv3.exe "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe "C:\Windows\system32\winrdlv3.exe" SW_HIDE
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commit
                Source: C:\Windows\SysWOW64\Dism.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -yJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -yJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\systecv3.exe "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\winrdgv3.exe "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe "C:\Windows\system32\winrdlv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commitJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeProcess created: C:\Windows\System32\wimserv.exe wimserv.exe a87a5149-c7b0-4e41-bd88-ef52e4b1f2cbJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32Jump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32Jump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: duser.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: chartv.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: atlthunk.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: dismcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: dbgcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: wdscore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: wimgapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winwdgv3.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winoav3.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winoav3.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: mpr.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: samcli.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: thooksv3.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: msi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: udiskiddll.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: udiskiddll.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: funcextv.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tvdmount.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tvdfmt.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winncap3.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tnfcapinst.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: devobj.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupshim.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: devrtl.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupengine.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupengine.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wlanapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupengine.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tijtdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: thlpdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: powrprof.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: umpdc.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: trmenushl.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: apphelp.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: linkinfo.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tnfcapinst.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tijtdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winsta.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tijtdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wfirewallv.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: thlpdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: thlpdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile written: C:\Users\user\AppData\Local\Temp\Languages\zh_hk.iniJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\winrdlv3.exeKey opened: HKEY_USERS.DEFAULT\Software\Microsoft\Office\9.0\Outlook\Resiliency\DoNotDisableAddinList
                Source: #U8fdd#U89c4#U540d#U5355.exeStatic file information: File size 14038624 > 1048576
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\systecv3.pdb source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\V4\4.73.808.X\4.0.0.31\Bin\Release\winoav3.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinRdgv3.pdb source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000531B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe.0.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinWdgv3.pdb source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, winwdgv3.dll.8.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinWdgv364.pdb source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: H:\WorkshopAgent\DevelopProjX\winrdlv3\Bin\Release\WinRdlv3.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\WorkshopAgent\DevelopProj2\AgentInstaller\Inner\PreRelease\AInstallV3\Bin\Unicode_Release\LInstSvr.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, LInstSvr.exe.6.dr
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040602D GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040602D
                Source: 7z.exe.0.drStatic PE information: section name: .sxdata
                Source: 7z.dll.0.drStatic PE information: section name: .sxdata
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_002042B0 push ecx; mov dword ptr [esp], ecx6_2_002042B1
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_00204970 push eax; ret 6_2_0020498E
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_00204D10 push eax; ret 6_2_00204D3E
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043ED58 push eax; ret 17_2_0043ED76
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043CF54 pushad ; iretd 17_2_0043CF55
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043D230 push eax; ret 17_2_0043D25E
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E35D8 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E35C8 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E3598 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E3588 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E3698 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00420340 push eax; ret 18_2_0042036E
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0046EA98 push 8B0F7EFCh; retf 18_2_0046EA9D
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00420F18 push eax; ret 18_2_00420F36
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0046F788 push 8B0F7EFCh; retf 18_2_0046F78D
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_00562E78 push esi; iretd 19_3_00562E79
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_00562E78 push esi; iretd 19_3_00562E79
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005643E1 push esi; iretd 19_3_005643E2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005643E1 push esi; iretd 19_3_005643E2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_00562E78 push esi; iretd 19_3_00562E79
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_00562E78 push esi; iretd 19_3_00562E79
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005643E1 push esi; iretd 19_3_005643E2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005643E1 push esi; iretd 19_3_005643E2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_00403100 push eax; ret 19_2_0040312E
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10032208 push eax; ret 19_2_10032226
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10030C50 push eax; ret 19_2_10030C7E

                Persistence and Installation Behavior

                barindex
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Windows\SysWOW64\winrdlv3.exeExecutable created and started: C:\Windows\SysWOW64\winrdlv3.exeJump to behavior
                Sample is not signed and drops a device driver
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdlv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakstec3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv364.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakrdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakstec3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv364.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winwdgv3.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Program Files (x86)\Common Files\System\winrdgv3.exeJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdlv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakstec3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakrdgv3.sysJump to dropped file
                Source: C:\Windows\System32\wimserv.exeFile created: C:\Users\user\AppData\Local\Temp\System\systecv3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakstec3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winrdlv3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv3.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\7z.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdgv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winoav3.dllJump to dropped file
                Source: C:\Windows\System32\wimserv.exeFile created: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exeJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\System32\winwdgv364.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\7z.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\LInstSvr.exeJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Program Files (x86)\Common Files\System\systecv3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv364.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winwdgv3.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdlv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakstec3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakrdgv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakstec3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winrdlv3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdgv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winoav3.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\System32\winwdgv364.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\LInstSvr.exeJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\LICENSE.electron.txtJump to behavior

                Boot Survival

                barindex
                Monitors registry run keys for changes
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                Registers a service to start in safe boot mode
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry value created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.Winhlpsvr NULL
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\OAgent
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0041E220 OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateProcessA,WaitForSingleObject,GetWindowsDirectoryA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,MoveFileA,CopyFileA,GetFileAttributesA,CopyFileA,CopyFileA,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegSetValueExA,RegCloseKey,ShellExecuteA,17_2_0041E220

                Hooking and other Techniques for Hiding and Protection

                barindex
                Tries to open files direct via NTFS file id
                Source: C:\Windows\System32\wimserv.exeFile opened: NULLJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043C2EF IsIconic,GetWindowPlacement,GetWindowRect,17_2_0043C2EF
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0041EC7F IsIconic,GetWindowPlacement,GetWindowRect,18_2_0041EC7F
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1002FC42 IsIconic,GetWindowPlacement,GetWindowRect,19_2_1002FC42
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00416020 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,17_2_00416020
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\Dism.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\Dism.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 6.3.7z.exe.31b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.winrdlv3.exe.10000000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 7z.exe PID: 8120, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: winrdlv3.exe PID: 7368, type: MEMORYSTR
                Source: Yara matchFile source: C:\Windows\SysWOW64\winoav3.dll, type: DROPPED
                Source: Yara matchFile source: C:\Windows\bakoav3.sys, type: DROPPED
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Windows\SysWOW64\winrdlv3.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Windows\SysWOW64\winrdlv3.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Contains functionality to detect sleep reduction / modifications
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100CD97019_2_100CD970
                Found evasive API chain (may stop execution after checking mutex)
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                Found stalling execution ending in API Sleep call
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeStalling execution: Execution stalls by calling Sleep
                Source: C:\Windows\SysWOW64\winrdlv3.exeStalling execution: Execution stalls by calling Sleep
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A6280 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,17_2_004A6280
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: OpenSCManagerA,OpenSCManagerA,GetLastError,OpenSCManagerA,GetLastError,EnumServicesStatusA,OpenSCManagerA,GetLastError,EnumServicesStatusA,GetLastError,CloseServiceHandle,19_2_10071B50
                Source: C:\Users\user\AppData\Local\Temp\7z.exeDropped PE file which has not been started: C:\Windows\bakwdgv364.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeDropped PE file which has not been started: C:\Windows\bakwdgv3.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7z.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Windows\System32\winwdgv364.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeDropped PE file which has not been started: C:\Windows\bakoav3.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeDropped PE file which has not been started: C:\Windows\LInstSvr.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeEvasive API call chain: GetLocalTime,DecisionNodes
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_17-79628
                Source: C:\Users\user\AppData\Local\Temp\7z.exeAPI coverage: 7.6 %
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeAPI coverage: 2.6 %
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeAPI coverage: 1.8 %
                Source: C:\Windows\SysWOW64\winrdlv3.exeAPI coverage: 3.0 %
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100CD97019_2_100CD970
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exe TID: 6536Thread sleep count: 99 > 30Jump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exe TID: 7880Thread sleep count: 100 > 30
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: \Device\CdRom0\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00406006 FindFirstFileA,FindClose,0_2_00406006
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_004055C2 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055C2
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D58C4 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,6_2_001D58C4
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D7635 FindFirstFileW,6_2_001D7635
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005BC1BB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,17_2_005BC1BB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481E70 FindFirstFileA,FindNextFileA,FindClose,17_2_00481E70
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040C0B0 FindFirstFileA,FindNextFileA,FindClose,17_2_0040C0B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482180 FindFirstFileW,FindNextFileW,FindClose,17_2_00482180
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040C2E0 FindFirstFileW,FindNextFileW,FindClose,17_2_0040C2E0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00414440 FindFirstFileW,FindClose,17_2_00414440
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004144B0 FindFirstFileW,FindFirstFileW,17_2_004144B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0048A500 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,17_2_0048A500
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482600 FindFirstFileW,FindNextFileW,SetLastError,FindClose,17_2_00482600
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005BC6D1 FindFirstFileA,FindClose,17_2_005BC6D1
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482A60 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,17_2_00482A60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040EB60 CopyFileA,SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040EB60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040CE50 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,17_2_0040CE50
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00468FC0 GetFileAttributesA,FindFirstFileA,FindClose,CreateFileA,GetFileTime,CloseHandle,GetLocalTime,17_2_00468FC0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481060 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,17_2_00481060
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00483000 FindFirstFileW,FindNextFileW,SetLastError,FindClose,17_2_00483000
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058B0C7 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,17_2_0058B0C7
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040D0B0 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,17_2_0040D0B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004111E0 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,17_2_004111E0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481180 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,17_2_00481180
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004052A0 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,17_2_004052A0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040D450 FindFirstFileW,MoveFileExA,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,17_2_0040D450
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040F400 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040F400
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00483480 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,17_2_00483480
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040DB10 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040DB10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00427B30 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,DeleteFileA,17_2_00427B30
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045A030 FindFirstFileW,FindNextFileW,SetLastError,FindClose,18_2_0045A030
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00458090 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,18_2_00458090
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040A160 FindFirstFileW,FindNextFileW,FindClose,18_2_0040A160
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004581B0 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,18_2_004581B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004122B0 FindFirstFileW,FindClose,18_2_004122B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00412320 FindFirstFileW,FindFirstFileW,18_2_00412320
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045A4B0 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,18_2_0045A4B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00404940 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,18_2_00404940
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040C9E0 SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040C9E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040ACD0 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,18_2_0040ACD0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00458EA0 FindFirstFileA,FindNextFileA,FindClose,18_2_00458EA0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040AF30 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,18_2_0040AF30
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00548FAB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,18_2_00548FAB
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040F060 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,18_2_0040F060
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004591B0 FindFirstFileW,FindNextFileW,FindClose,18_2_004591B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040B2D0 FindFirstFileW,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,18_2_0040B2D0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040D280 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040D280
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_005494C1 FindFirstFileA,FindClose,18_2_005494C1
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00475670 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,18_2_00475670
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00459630 FindFirstFileW,FindNextFileW,SetLastError,FindClose,18_2_00459630
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040B990 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040B990
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00459A90 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,18_2_00459A90
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00409F30 FindFirstFileA,FindNextFileA,FindClose,18_2_00409F30
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017F1D9 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,19_2_1017F1D9
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006B030 FindFirstFileExW,FindFirstFileW,FindNextFileW,SetLastError,FindClose,19_2_1006B030
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1014F097 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,19_2_1014F097
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10069090 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,19_2_10069090
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100150F0 FindFirstFileW,FindClose,19_2_100150F0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10015160 FindFirstFileW,FindFirstFileExW,FindFirstFileW,19_2_10015160
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100691B0 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,19_2_100691B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006B4B0 FindFirstFileW,FindFirstFileExW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,19_2_1006B4B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017F6EF FindFirstFileA,FindClose,19_2_1017F6EF
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000F810 SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_1000F810
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000DB00 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,19_2_1000DB00
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000DD60 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,19_2_1000DD60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10011E90 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,19_2_10011E90
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10069EA0 FindFirstFileA,FindNextFileA,FindClose,19_2_10069EA0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100100B0 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_100100B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000E100 FindFirstFileW,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,19_2_1000E100
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006A1B0 FindFirstFileW,FindNextFileW,FindClose,19_2_1006A1B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006A630 FindFirstFileExW,FindFirstFileW,FindNextFileW,SetLastError,FindClose,19_2_1006A630
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10076630 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,19_2_10076630
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000E7C0 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_1000E7C0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006AA90 FindFirstFileW,FindFirstFileExW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,19_2_1006AA90
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10006B60 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,19_2_10006B60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000CD60 FindFirstFileA,FindNextFileA,FindClose,19_2_1000CD60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000CF90 FindFirstFileW,FindNextFileW,FindClose,19_2_1000CF90
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D62DF __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,6_2_001D62DF
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D861A GetSystemInfo,6_2_001D861A
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ROMNECVMWARVMWARE_SATA_CD001.00
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmicvss
                Source: winrdlv3.exe, 00000014.00000003.2085473245.000000000065C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000002.2628882544.0000000010C12000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: wxwork.exeqq.exeteamviewer_service.exe;vncserver.exe;ToDesk_Service.exe;SunloginClient.exe;winvnc4.exeteamviewer_service.exewwahost.exevmware-authd.exeRsTray.exe;RsMain.exe;RsConfig.exe;RavTray.exe;ScanFrm.exe;RavMonD.exeCTIjtDrvRule::SetDefRule [====]CTIjtDrvRule::SetDefRule [i = %d] [ret = %d] [%d %d %s %d %d %d] [%s] [%s]CTIjtDrvRule::SetDefRule [Config] 2 [!!!!] [%d]CTIjtDrvRule::SetDefRule [Config] 1 [%d] [%08x]CTIjtDrvRule::SetDefRule [----]CTIjtDrvRule::CheckRule [====]CTIjtDrvRule::CheckRule 3 [%d %d %d]CTIjtDrvRule::CheckRule 2 [%d %d]CTIjtDrvRule::CheckRule 1 [%08x] [%s]CTIjtDrvRule::CheckRule [----]CTIjtDrvRule::AppRule [i = %d] [ret = %d] [####] [%d %d %s %d %d %d] [%s] [%s]CheckIjtDrvToVds [%d][%s];Guid={F3CDAA5B-457B-4EA6-B5B5-9C50D1F7B86F},Id=102,Type=1,Mode=1,Bit=2,Procs=vds.exe,Modules=winhafnt64.dll;Guid={263A953C-7091-4D30-955F-55D57A00BF55},Id=102,Type=1,Mode=1,Bit=1,Procs=vds.exe,Modules=winhafnt.dllvds.exe
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DiskVMware__Virtual_disk____2.0_
                Source: winrdlv3.exe, 00000014.00000002.2628122545.0000000010AFF000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: ad [=====]CAgent::StartHlpThread [-----]CAgent::StopHlpThread [=====]CAgent::StopHlpThread [-----]CAgent::StartHlp2Thread [=====]CAgent::StartHlp2Thread [-----]CAgent::StopHlp2Thread [=====]CAgent::StopHlp2Thread [-----]CAgent::Start [===========]PolicyUpdateTimePolicyNumCrashOAgentTrayInfoCAgent::Start TKSAgent [!!!!]TKSAgentCAgent::Start [=====]CAgent::Start 2CAgent::Start 1CAgent::Start TryConnectSvr 0x%lxCAgent::Start AEApply 2CAgent::Start AEApply 1CAgent::Start THlpDrvCAgent::Start TIjtCAgent::Start TIjtDrv 6CAgent::Start TIjtDrv 5CAgent::Start TIjtDrv 41 [%d %d]CAgent::Start TIjtDrv 4CAgent::Start TIjtDrv 3CAgent::Start TIjtDrv 2CAgent::Start TIjtDrv 13 [%d]CAgent::Start TIjtDrv 12 [%08x %08x]CAgent::Start TIjtDrv 11 [%S %S] [%08x]baktijtdrv64.sysTIjtDrv64.sysbaktijtdrv32.sysTIjtDrv32.sysCAgent::Start TIjtDrv [Config] 2 [!!!!] [%d]CAgent::Start TIjtDrv [Config] 1 [%d] [%08x]TIjtDrvCAgent::Start TIjtDrv 1CAgent::DoMonitor [BaoMiJun] Initialize 2PersonIDCAgent::DoMonitor [BaoMiJun] Initialize 1CAgent::Start Dump Trace 0x%lx %luAgentDumpCAgent::Start ConnectABSvr 0x%lxCAgent::Start MonitorSessionInfo 0x%lxCAgent::Start KillSelTimer [%d]CAgent::Start notifychangeidsCAgent::Start PolicyImportToolAgentExtendedConfig.datPolicyImportTool.exeCAgent::Start agttoolAgt3Tool.exeCAgent::Start tsdUninstallDriver 2[ret: %d %d]_DeltsysdrvUninstallDriver 1[ret: %d %d]TSysDrvbaktsdrvd.systsysdrv.dllCAgent::Start tpacketbaktpktn.sysCAgent::Start udp IsDisPort[%d]CAgent::Start getbasinfoCAgent::Start getverinfoCAgent::Start wpinstCAgent::Start wsecmgrCAgent::Start deploymgrCAgent::Start deploymgr 0 [%d]CAgent::Start printmgrCAgent::Start logonnotifyCAgent::Start devmgrCAgent::Start basmgrCAgent::Start ftsvrCAgent::Start vconnmgrCAgent::Start authormgrCAgent::Start tsfaenetCAgent::Start rasmgrCAgent::Start msgmgrCAgent::Start netcap [m_bStartTnfcap : %d]TnfcapInst.dllCAgent::Start netcap 2 (%08x)CAgent::Start netcap ## [%d %08x]CAgent::Start netcap 1 (%08x)CAgent::Start udiskdrvCAgent::Stop udiskdrv 3 [%lu]CAgent::Start udiskdrv 3 [%lu] [%lu]CAgent::Start udiskdrv 2CAgent::Start udiskdrv 1%s\drivers\%stvdisk.sysbaktvd64.sysbaktvd.sysCAgent::Start comdllwinoacbakoacCAgent::Start AgentUCAgent::Start initbaslogCAgent::Start SDCenterCAgent::Start config [Mode : %d]CAgent::Start enmodCAgent::Start enmod 3 [%lu] [%lu]CAgent::Start enmod 2CAgent::Start enmod 1bakencyx.syswinencyx.dllCAgent::Start sessmgrCAgent::Start tcpCAgent::Start CheckSDHwInfo 0x%lxCAgent::Start TranBufToOtherFile [msusersystemservercfgclass]CAgent::Start initpolicyCAgent::Start [TIjtNecessity]CAgent::Start [SyncTimeZone] [%d]CAgent::Start [Offline] [@@@@] [%d]CAgent::Start [Offline] [%d]CAgent::Start g_sdUDiskMgrAgent.IsExpireSyncTimeCAgent::Start synctime 2 (%08x)(%08x) (%08x)CAgent::Start synctime [%08x] [%s] [%08x] [%d] [%08x][%s]SetPID::%lu/0x%lxSetPID::0x%lxsoftware\TEC\Ocular.3\ShareData\EDBAKTIMEsoftware\TEC\Ocular.3\ShareData\DEFSEsoftware\TEC\Ocular.3\Agent\SDSystem\FilePathManagersoftw
                Source: winrdlv3.exe, 00000014.00000003.1625350913.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROMNECVMWARVMWARE_SATA_CD001.00
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `VMware_SATA_CD001GenCdRom
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000da5&0&0001t
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Standard USB 3.1 eXtensible Host Controller - 1.0 (Microsoft)0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
                Source: winrdlv3.exe, 00000014.00000002.2625664951.0000000002D89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD00
                Source: winrdlv3.exe, 00000014.00000003.1625350913.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWAR VMWARE SATA CD00
                Source: winrdlv3.exe, 00000014.00000003.2085252910.0000000000640000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2620945707.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter4
                Source: winrdlv3.exe, 00000014.00000003.2084871740.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2621653178.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.infgencounter.devicedescMicrosoft Hyper-V Generation CounterSYS_040515ADPCI\VEN_15AD&DEV_0405&CC_030000PCI\VEN_15AD&DEV_0405&CC_0300
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DiskVMware__SCSI\VMware__Virtu@
                Source: winrdlv3.exe, 00000014.00000003.1623609118.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000_6600_@_2.40_GHz\_1
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PCI\VEN_8086&DEV_7111&SUBSYS_197615AD&REV_01Intel(R) 82371AB/EB PCI Bus Master IDE Controller#PPMHVMware VMCI Bus DevicePCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10NOT FOUNDvmci
                Source: winrdlv3.exe, 00000014.00000002.2625664951.0000000002D89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: kI\Device\00000025SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
                Source: winrdlv3.exe, 00000014.00000003.1472967472.0000000000656000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ecvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volux
                Source: winrdlv3.exe, 00000014.00000003.1484883344.000000000065A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}efb8b}b8b}
                Source: winrdlv3.exe, 00000014.00000003.1625350913.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@SCSI\CDROMNECVMWARVMWARE_SATA_CD001.000000ID_0003&REV_0102<
                Source: winrdlv3.exe, 00000014.00000002.2625664951.0000000002D89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware_SATA_CD001
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_Y
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
                Source: winrdlv3.exe, 00000014.00000003.1473116955.0000000000662000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: om&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1493739618.000000000068C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                Source: winrdlv3.exe, 00000014.00000003.1482481589.000000000065A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000002.2626684237.0000000003F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1511042557.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRomO
                Source: winrdlv3.exe, 00000014.00000003.1510131773.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W
                Source: winrdlv3.exe, 00000014.00000002.2621653178.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRomJ
                Source: winrdlv3.exe, 00000014.00000003.1455820212.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494583857.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455920356.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1496857306.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2622011718.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1460301607.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494786118.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565587853.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1626578573.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1606864820.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1507654141.0000000002DC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )ACPI\VEN_PNP&DEV_0A03PCI Bus%PPMHMicrosoft Hyper-V Generation CounterACPI\VEN_VMW&DEV_00017gencounter
                Source: winrdlv3.exe, 00000014.00000003.1455626270.0000000000E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &ACPI\VEN_PNP&DEV_0A08PCI Express Root Complex,PPMHVMware Virtual disk SCSI Disk DeviceSCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000r3
                Source: winrdlv3.exe, 00000014.00000003.1625350913.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @NECVMWAR VMWARE SATA CD00ler&MI_0100002- 1.0 (Microsoft)\
                Source: winrdlv3.exe, 00000014.00000002.2623053817.00000000013C2000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\CDROMNECVMWARVMWARE_SATA_CD001.\Device\00000025
                Source: winrdlv3.exe, 00000014.00000003.1455626270.0000000000E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PCI\VEN_8086&DEV_7111&SUBSYS_197615AD&REV_01Intel(R) 82371AB/EB PCI Bus Master IDE Controller#PPMHVMware VMCI Bus DevicePCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10NOT FOUNDvmci
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                Source: winrdlv3.exe, 00000014.00000003.1624117621.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000&0001@_2.40_GHz\_0VcX
                Source: winrdlv3.exe, 00000014.00000002.2623053817.00000000013C2000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\CDROMNECVMWARVMWARE_SATA_CD001.00%
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device
                Source: winrdlv3.exe, 00000014.00000003.1479832260.000000000065C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ecvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
                Source: winrdlv3.exe, 00000014.00000003.1460447127.0000000000E91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `ACPI\VEN_PNP&DEV_0A08PCI Express Root Complex0PPMHNECVMWar VMware SATA CD00SCSI\CdRomNECVMWarVMware_SATA_CD001.00NOT FOUNDcdrom
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ClipSVC VMWARE SATA CD00ler&MI_01<
                Source: winrdlv3.exe, 00000014.00000003.1511042557.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
                Source: winrdlv3.exe, 00000014.00000003.1455820212.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494583857.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455920356.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1460301607.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1459327768.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494786118.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565587853.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1626578573.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1606864820.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455213116.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565229125.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHMicrosoft Hyper-V Virtualization Infrastructure Driver
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ACPI\VEN_PNP&DEV_0A08PCI Express Root Complex0PPMHNECVMWar VMware SATA CD00SCSI\CdRomNECVMWarVMware_SATA_CD001.00NOT FOUNDcdrom
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus DeviceEV_1001HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975O
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000da5&0&0001
                Source: winrdlv3.exe, 00000014.00000003.1472967472.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom]
                Source: winrdlv3.exe, 00000014.00000003.1502270246.0000000000EB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk DeviceSCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000003.1623609118.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHVMware Virtual disk SCSI Disk Device
                Source: winrdlv3.exe, 00000014.00000003.2084871740.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @CDPSvcROMNECVMWARVMWARE_SATA_CD001.000000L
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ACPI\VEN_PNP&DEV_0A08PCI Express Root Complex,PPMHVMware Virtual disk SCSI Disk DeviceSCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHVMware VMCI Bus Device
                Source: winrdlv3.exe, 00000014.00000003.1511042557.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000002.2625664951.0000000002D89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\NECVMWarVMware_SATA_CD001
                Source: winrdlv3.exe, 00000014.00000003.1455820212.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494583857.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455920356.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1460301607.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1459327768.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494786118.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565587853.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1626578573.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1606864820.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455213116.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565229125.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHMicrosoft Hyper-V Virtualization Infrastructure DriverROOT\VID0000Vid
                Source: #U8fdd#U89c4#U540d#U5355.exeBinary or memory string: >QEMu
                Source: winrdlv3.exe, 00000014.00000003.1510131773.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000_6600_@_2.40_GHz\_1.dll,-21781
                Source: winrdlv3.exe, 00000014.00000003.1483825457.0000000000675000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: xwork.exeqq.exeteamviewer_service.exe;vncserver.exe;ToDesk_Service.exe;SunloginClient.exe;winvnc4.exeteamviewer_service.exewwahost.exevmware-authd.exeRsTray.exe;RsMain.exe;RsConfig.exe;RavTray.exe;ScanFrm.exe;RavMonD.exeCTIjtDrvRule::SetDefRule [====]CTIjtDrvRule::SetDefRule [i = %d] [ret = %d] [%d %d %s %d %d %d] [%s] [%s]CTIjtDrvRule::SetDefRule [Config] 2 [!!!!] [%d]CTIjtDrvRule::SetDefRule [Config] 1 [%d] [%08x]CTIjtDrvRule::SetDefRule [----]CTIjtDrvRule::CheckRule [====]CTIjtDrvRule::CheckRule 3 [%d %d %d]CTIjtDrvRule::CheckRule 2 [%d %d]CTIjtDrvRule::CheckRule 1 [%08x] [%s]CTIjtDrvRule::CheckRule [----]CTIjtDrvRule::AppRule [i = %d] [ret = %d] [####] [%d %d %s %d %d %d] [%s] [%s]CheckIjtDrvToVds [%d][%s];Guid={F3CDAA5B-457B-4EA6-B5B5-9C50D1F7B86F},Id=102,Type=1,Mode=1,Bit=2,Procs=vds.exe,Modules=winhafnt64.dll;Guid={263A953C-7091-4D30-955F-55D57A00BF55},Id=102,Type=1,Mode=1,Bit=1,Procs=vds.exe,Modules=winhafnt.dllvds.exe
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmicshutdown$
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus DeviceEV_1001HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00
                Source: winrdlv3.exe, 00000014.00000003.1493284803.0000000000682000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gstorage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat4
                Source: winrdlv3.exe, 00000014.00000003.1508954338.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHNECVMWar VMware SATA CD00
                Source: winrdlv3.exe, 00000014.00000003.1481626702.0000000000EB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                Source: winrdlv3.exe, 00000014.00000003.1502270246.0000000000EB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}b8b}
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                Source: winrdlv3.exe, 00000014.00000002.2620945707.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&z
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                Source: winrdlv3.exe, 00000014.00000003.1479785833.000000000067C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1481226546.0000000000ED2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: irtual disk SCSI Disk DeviceSCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000002.2623053817.00000000013C2000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\CDROMNECVMWARVMWARE_SATA_CD001.\Device\00000025SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRomSCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRom\Device\00000025SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRomD{
                Source: winrdlv3.exe, 00000014.00000003.1627505894.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PCI Express Root Complex0PPMHNECVMWar VMware SATA CD00SCSI\CdRomNECVMWarVMware_SATA_CD001.00NOT FOUNDcdrom
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWARE SATA CD00
                Source: winrdlv3.exe, 00000014.00000003.1510604217.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.2620210881.000001D277238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: winrdlv3.exe, 00000014.00000003.1479541030.0000000000665000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pdstorage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\B
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000008}W
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @dot3svc\DiskVMware__Virtual_disk____2.0_
                Source: winrdlv3.exe, 00000014.00000003.1481626702.0000000000EB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__Virtual_disk____2.0_
                Source: winrdlv3.exe, 00000014.00000003.1480247278.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: estorage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000002.2620945707.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Elscsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&00000
                Source: svchost.exe, 0000001C.00000002.2621109761.0000020A89A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                Source: winrdlv3.exe, 00000014.00000003.1455820212.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494583857.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455920356.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1496857306.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2622011718.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1460301607.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494786118.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565587853.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1626578573.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1606864820.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1507654141.0000000002DC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHMicrosoft Hyper-V Generation Counter
                Source: winrdlv3.exe, 00000014.00000003.1493777491.0000000000682000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gscsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeAPI call chain: ExitProcess graph end nodegraph_0-3072
                Source: C:\Windows\SysWOW64\winrdlv3.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A6280 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,17_2_004A6280
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040602D GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040602D
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004100C0 GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetProcessHeap,HeapFree,17_2_004100C0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess token adjusted: Debug
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004482DC SetUnhandledExceptionFilter,17_2_004482DC
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004482EE SetUnhandledExceptionFilter,17_2_004482EE
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0042A849 SetUnhandledExceptionFilter,18_2_0042A849
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0042A837 SetUnhandledExceptionFilter,18_2_0042A837
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10017C80 SetErrorMode,SetUnhandledExceptionFilter,19_2_10017C80
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1003B777 SetUnhandledExceptionFilter,19_2_1003B777
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1003B789 SetUnhandledExceptionFilter,19_2_1003B789
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00489310 LogonUserA,LogonUserW,LogonUserA,17_2_00489310
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -yJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -yJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\systecv3.exe "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\winrdgv3.exe "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe "C:\Windows\system32\winrdlv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commitJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004D6120 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CloseHandle,CloseHandle,17_2_004D6120
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040FF00 GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,EqualSid,FreeSid,17_2_0040FF00
                Source: winrdlv3.exe, 00000013.00000002.2623505247.00000000101D9000.00000008.00000001.01000000.00000013.sdmpBinary or memory string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:%sCertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecuri
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.000000000407A000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D2A000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, winwdgv3.dll.8.drBinary or memory string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:%sCertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecurity::AddAccountMask [####] [ret: %d] [Path: %s] [Name: %s] [Mask: %08x] [Sid: %08x]CKSecurity::AddAccountMask2 [####] [ret: %d] [Path: %s] [Mask: %08x] [Name: %s] [Sid: %08x]NULLCKSecurity::AddEveryoneMask [####] [ret: %d] [Path: %s] [Mask: %08x] [Sid: %08x]S-1-15-2-1S-1-15-2-2CKSecurity::AddAccountMask [####] [Sel] [ret: %d] [myerror: %d] [Path: %s] [Mask: %08x] [Sid: %08x]CKSecurity::GetSid [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetSid2 [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetEveryoneSid [####] [ret: %d] [myerror: %d] [Sid: %08x]S-1-1-0CKSecurity::GetSd [####] [ret: %d] [myerror: %d] [Path: %s] [Sd: %08x]CKSecurity::SetSd [####] [ret: %d] [Path: %s] [Sd: %08x]CKSecurity::IsDenyInSd [####] [ret: %d] [myerror: %d] [Sd: %08x]CKSecurity::IsInSd [####] [ret: %d] [myerror: %d] [Sd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopySd [####] [ret: %d] [myerror: %d] [SrcSd: %08x] [DstSd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::GetAcl [####] [ret: %d] [Sd: %08x] [Acl: %08x] [b: %08x]CKSecurity::SetAcl [####] [ret: %d] [Acl: %08x] [Sd: %08x]CKSecurity::CopyAcl [####] [ret: %d] [myerror: %d] [Sd: %08x] [Acl: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopyAcl [####] [Inner] [ret: %d] [myerror: %d] [SrcAcl: %08x] [DstAcl: %08x] [b: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::IsDenyInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Index: %d]CKSecurity::IsInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Si
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2627798055.0000000010A76000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: CAdminTokenMgr::CreateAdminToken [=====] [hUserToken = %08x], [hAdminToken = %08x], [OnlyAdminGroup = %d], [dwAdminType = %d]explorer.exeDefaultShell_TrayWnd
                Source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeExplorer.exeShell_TrayWnd"
                Source: wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1439500767.0000000000917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:CertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecurity::AddAccountMask [####] [ret: %d] [Path: %s] [Name: %s] [Mask: %08x] [Sid: %08x]CKSecurity::AddAccountMask2 [####] [ret: %d] [Path: %s] [Mask: %08x] [Name: %s] [Sid: %08x]NULLCKSecurity::AddEveryoneMask [####] [ret: %d] [Path: %s] [Mask: %08x] [Sid: %08x]S-1-15-2-1S-1-15-2-2CKSecurity::AddAccountMask [####] [Sel] [ret: %d] [myerror: %d] [Path: %s] [Mask: %08x] [Sid: %08x]CKSecurity::GetSid [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetSid2 [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetEveryoneSid [####] [ret: %d] [myerror: %d] [Sid: %08x]S-1-1-0CKSecurity::GetSd [####] [ret: %d] [myerror: %d] [Path: %s] [Sd: %08x]CKSecurity::SetSd [####] [ret: %d] [Path: %s] [Sd: %08x]CKSecurity::IsDenyInSd [####] [ret: %d] [myerror: %d] [Sd: %08x]CKSecurity::IsInSd [####] [ret: %d] [myerror: %d] [Sd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopySd [####] [ret: %d] [myerror: %d] [SrcSd: %08x] [DstSd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::GetAcl [####] [ret: %d] [Sd: %08x] [Acl: %08x] [b: %08x]CKSecurity::SetAcl [####] [ret: %d] [Acl: %08x] [Sd: %08x]CKSecurity::CopyAcl [####] [ret: %d] [myerror: %d] [Sd: %08x] [Acl: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopyAcl [####] [Inner] [ret: %d] [myerror: %d] [SrcAcl: %08x] [DstAcl: %08x] [b: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::IsDenyInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Index: %d]CKSecurity::IsInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Sid:
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: EnumSystemLocalesA,17_2_0044C00F
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: EnumSystemLocalesA,17_2_0044C29A
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: EnumSystemLocalesA,17_2_0044C3AD
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoA,17_2_0044C5A1
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,17_2_0044E9A3
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoA,MultiByteToWideChar,17_2_0044EA60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,17_2_0044EAB6
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoW,WideCharToMultiByte,17_2_0044EB79
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,17_2_0044BE3A
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,18_2_0042E4BA
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: EnumSystemLocalesA,18_2_0042E68F
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: EnumSystemLocalesA,18_2_0042E91A
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: EnumSystemLocalesA,18_2_0042EA2D
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoA,18_2_0042EC21
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,18_2_00431023
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoA,MultiByteToWideChar,18_2_004310E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,18_2_00431136
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoW,WideCharToMultiByte,18_2_004311F9
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,19_2_1003F57A
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: EnumSystemLocalesA,19_2_1003F74F
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: EnumSystemLocalesA,19_2_1003F9DA
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: EnumSystemLocalesA,19_2_1003FAED
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoA,19_2_1003FCE1
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,19_2_10041FD5
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoA,MultiByteToWideChar,19_2_10042092
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,19_2_100420E8
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoW,WideCharToMultiByte,19_2_100421AB
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfb1ea21-1324-4f57-bc1d-434ef4bf806e VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fad12352-7d0a-429b-8c04-8fc46cba154e VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: \Device\CdRom0\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\833722f7-cd47-4ad9-9371-17645a7b5759 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cf438fea-2ef3-4394-9563-816b66bc10e0 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2e1d3608-9c04-4d44-a577-4dd26dc04e1b VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\00adcd52-9283-43d0-a14f-f3ed3b4d05ef VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\d37ef516-8223-4430-a7cc-9979a03a32a3 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\22dc806b-a927-484d-8d56-5320984dde33 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9588ae55-652c-4a4b-8966-e6ee5ef236d4 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D8774 GetSystemTimeAsFileTime,6_2_001D8774
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A2F10 GetUserNameA,17_2_004A2F10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00448D4B GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,17_2_00448D4B
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00405D24 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D24
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Modifies the windows firewall
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: AntiVirus\kvxp.kxp
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628242473.0000000010B16000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: \rav\ccenter.exe
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: KvXP.kxp
                Source: systecv3.exe, winrdgv3.exeBinary or memory string: ulibcfg.exe
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: KAV32.EXE
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: nod32.exe
                Source: systecv3.exe, winrdgv3.exeBinary or memory string: ravmond.exe
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: AntiVirus\KVSrvXP.exe
                Source: C:\Windows\SysWOW64\winrdlv3.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter : SELECT * FROM AntiVirusProduct
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00556612 CreateBindCtx,lstrlenW,WideCharToMultiByte,lstrlenA,CoTaskMemFree,18_2_00556612
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00555F9D lstrlenA,MultiByteToWideChar,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,18_2_00555F9D

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Windows Management Instrumentation                		2
                LSASS Driver                		2
                LSASS Driver                		2
                Disable or Modify Tools                		1
                Input Capture                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomains1
                Replication Through Removable Media                		12
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory11
                Peripheral Device Discovery                		Remote Desktop Protocol1
                Screen Capture                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Command and Scripting Interpreter                		2
                Valid Accounts                		2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager1
                Account Discovery                		SMB/Windows Admin Shares1
                Input Capture                		SteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts12
                Service Execution                		33
                Windows Service                		21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS1
                System Service Discovery                		Distributed Component Object Model1
                Clipboard Data                		Protocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchd1
                Registry Run Keys / Startup Folder                		33
                Windows Service                		1
                File Deletion                		LSA Secrets5
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
                Process Injection                		121
                Masquerading                		Cached Domain Credentials38
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		DCSync11
                Query Registry                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                Virtualization/Sandbox Evasion                		Proc Filesystem271
                Security Software Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow3
                Virtualization/Sandbox Evasion                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                Process Injection                		Network Sniffing3
                Process Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                Regsvr32                		Input Capture1
                Application Window Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                System Owner/User Discovery                		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1443624 Sample: #U8fdd#U89c4#U540d#U5355.exe Startdate: 18/05/2024 Architecture: WINDOWS Score: 100 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected AntiVM3 2->87 89 Found evasive API chain (may stop execution after checking mutex) 2->89 91 Found stalling execution ending in API Sleep call 2->91 8 #U8fdd#U89c4#U540d#U5355.exe 81 2->8         started        12 winrdgv3.exe 2->12         started        14 wimmount.sys 2->14         started        16 6 other processes 2->16 process3 file4 75 C:\Users\user\AppData\Local\Temp\7z.exe, PE32 8->75 dropped 77 C:\Program Files (x86)\...\winrdgv3.exe, PE32 8->77 dropped 79 C:\Windows\System32\winwdgv364.dll, PE32+ 8->79 dropped 81 6 other files (none is malicious) 8->81 dropped 115 Modifies the windows firewall 8->115 18 7z.exe 9 8->18         started        22 7z.exe 6 8->22         started        24 Dism.exe 10 5 8->24         started        28 6 other processes 8->28 26 winrdlv3.exe 12->26         started        signatures5 process6 file7 53 C:\Windows\bakwdgv364.sys, PE32+ 18->53 dropped 55 C:\Windows\bakwdgv3.sys, PE32 18->55 dropped 57 C:\Windows\bakstec3.sys, PE32 18->57 dropped 65 4 other files (3 malicious) 18->65 dropped 93 Sample is not signed and drops a device driver 18->93 30 conhost.exe 18->30         started        59 C:\Windows\SysWOW64\winrdlv3.exe, PE32 22->59 dropped 61 C:\Windows\SysWOW64\winoav3.dll, PE32 22->61 dropped 63 C:\Windows\SysWOW64\bakstec3.sys, PE32 22->63 dropped 67 2 other files (1 malicious) 22->67 dropped 32 conhost.exe 22->32         started        34 wimserv.exe 1 24->34         started        38 conhost.exe 24->38         started        95 Found stalling execution ending in API Sleep call 26->95 97 Drops executables to the windows directory (C:\Windows) and starts them 26->97 99 Contains functionality to detect sleep reduction / modifications 26->99 40 winrdlv3.exe 26->40         started        69 2 other files (none is malicious) 28->69 dropped 101 Uses netsh to modify the Windows network and firewall settings 28->101 103 Tries to open files direct via NTFS file id 28->103 43 netsh.exe 2 28->43         started        45 netsh.exe 2 28->45         started        47 conhost.exe 28->47         started        49 2 other processes 28->49 signatures8 process9 dnsIp10 71 C:\Users\user\AppData\Local\...\winrdgv3.exe, PE32 34->71 dropped 73 C:\Users\user\AppData\Local\...\systecv3.exe, PE32 34->73 dropped 105 Tries to open files direct via NTFS file id 34->105 83 45.125.48.89, 49711, 8237 LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK Hong Kong 40->83 107 Monitors registry run keys for changes 40->107 109 Enables network access during safeboot for specific services 40->109 111 Registers a service to start in safe boot mode 40->111 113 Checks if the current machine is a virtual machine (disk enumeration) 40->113 51 regsvr32.exe 40->51         started        file11 signatures12 process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                #U8fdd#U89c4#U540d#U5355.exe18%VirustotalBrowse
                #U8fdd#U89c4#U540d#U5355.exe24%ReversingLabs

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\Common Files\System\systecv3.exe4%ReversingLabs
                C:\Program Files (x86)\Common Files\System\systecv3.exe4%VirustotalBrowse
                C:\Program Files (x86)\Common Files\System\winrdgv3.exe4%ReversingLabs
                C:\Program Files (x86)\Common Files\System\winrdgv3.exe4%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\7z.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\7z.dll0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\7z.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\7z.exe0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\System\systecv3.exe4%ReversingLabs
                C:\Users\user\AppData\Local\Temp\System\systecv3.exe4%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe4%ReversingLabs
                C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe4%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dll0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dll1%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dll0%VirustotalBrowse
                C:\Windows\LInstSvr.exe0%ReversingLabs
                C:\Windows\LInstSvr.exe1%VirustotalBrowse
                C:\Windows\SysWOW64\bakrdgv3.sys4%ReversingLabs
                C:\Windows\SysWOW64\bakrdgv3.sys4%VirustotalBrowse
                C:\Windows\SysWOW64\bakstec3.sys4%ReversingLabs
                C:\Windows\SysWOW64\bakstec3.sys4%VirustotalBrowse
                C:\Windows\SysWOW64\winoav3.dll0%ReversingLabs
                C:\Windows\SysWOW64\winoav3.dll1%VirustotalBrowse
                C:\Windows\SysWOW64\winrdlv3.exe0%ReversingLabs
                C:\Windows\SysWOW64\winrdlv3.exe3%VirustotalBrowse
                C:\Windows\SysWOW64\winwdgv3.dll4%ReversingLabs
                C:\Windows\SysWOW64\winwdgv3.dll4%VirustotalBrowse
                C:\Windows\System32\winwdgv364.dll0%ReversingLabs
                C:\Windows\System32\winwdgv364.dll1%VirustotalBrowse
                C:\Windows\bakoav3.sys0%ReversingLabs
                C:\Windows\bakoav3.sys1%VirustotalBrowse
                C:\Windows\bakrdgv3.sys4%ReversingLabs
                C:\Windows\bakrdgv3.sys4%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
                http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
                http://www.openssl.org/support/faq.html....................0%URL Reputationsafe
                http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe
                http://www.openssl.org/support/faq.html0%URL Reputationsafe
                http://www.register-center.com/=C:0%Avira URL Cloudsafe
                http://www.register-center.com/N0%Avira URL Cloudsafe
                http://www.register-center.com/0%Avira URL Cloudsafe
                http://www.register-center.com/xE0%Avira URL Cloudsafe
                https://st.todesk.com/config-center/sync-config?fullUpdate=true0%Avira URL Cloudsafe
                https://st.todesk.com/config-center/sync-config?fullUpdate=false0%Avira URL Cloudsafe
                http://crl3.dp)0%Avira URL Cloudsafe
                http://www.dig.0%Avira URL Cloudsafe
                http://www.register-center.com/N0%VirustotalBrowse
                http://.exe890830CWinPatchInstaller::AddTask0%Avira URL Cloudsafe
                http://www.register-center.com/w0%Avira URL Cloudsafe
                http://www.register-center.com/0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.register-center.com/=C:winrdgv3.exe, 00000012.00000002.1497543172.00000000010F0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_Error#U8fdd#U89c4#U540d#U5355.exefalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.register-center.com/winrdgv3.exe, 00000012.00000002.1497543172.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.register-center.com/N#U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1484600965.0000000000649000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1483899194.000000000066E000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486796477.0000000000649000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486891079.0000000000676000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1487022338.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000455C000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003125000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.register-center.com/xEwinrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.openssl.org/support/faq.html....................#U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000000.1438557027.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1496088763.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000012.00000000.1442175571.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdlv3.exe, 00000013.00000002.2623324896.000000001019F000.00000002.00000001.01000000.00000013.sdmp, winrdlv3.exe, 00000014.00000002.2627709420.0000000010991000.00000002.00000001.01000000.00000014.sdmp, winrdgv3.exe, 00000015.00000002.1470129657.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000015.00000000.1449479022.0000000000566000.00000002.00000001.01000000.00000011.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000527C000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.dr, winwdgv3.dll.8.drfalse
                • URL Reputation: safe
                		unknown
                https://st.todesk.com/config-center/sync-config?fullUpdate=trueservicephqghume_2023_09_23.log.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl3.dp)winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorError#U8fdd#U89c4#U540d#U5355.exefalse
                • URL Reputation: safe
                		unknown
                https://st.todesk.com/config-center/sync-config?fullUpdate=falseservicephqghume_2023_09_23.log.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.dig.winrdlv3.exe, 00000013.00000002.2620234829.0000000000562000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://.exe890830CWinPatchInstaller::AddTask7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628944513.0000000010C34000.00000008.00000001.01000000.00000014.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.register-center.com/wwinrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.haxx.se/docs/http-cookies.html7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2629479273.0000000010CAA000.00000008.00000001.01000000.00000014.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.openssl.org/support/faq.html#U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, systecv3.exe, 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000000.1438557027.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1496088763.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000012.00000000.1442175571.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdlv3.exe, 00000013.00000002.2623324896.000000001019F000.00000002.00000001.01000000.00000013.sdmp, winrdlv3.exe, 00000014.00000002.2627709420.0000000010991000.00000002.00000001.01000000.00000014.sdmp, winrdgv3.exe, 00000015.00000002.1470129657.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000015.00000000.1449479022.0000000000566000.00000002.00000001.01000000.00000011.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000527C000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                45.125.48.89
                		unknownHong Kong
                		132325LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHKfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1443624
                Start date and time:2024-05-18 03:35:48 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 35s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:32
                Number of new started drivers analysed:3
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:#U8fdd#U89c4#U540d#U5355.exe
                renamed because original name is a hash value
                Original Sample Name:.exe
                Detection:MAL
                Classification:mal100.evad.winEXE@42/95@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 123
                • Number of non-executed functions: 286
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                • Report size getting too big, too many NtEnumerateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHKOtcfX6j1KC.exeGet hashmaliciousUnknownBrowse
                • 103.71.154.163
                OtcfX6j1KC.exeGet hashmaliciousUnknownBrowse
                • 103.71.154.163
                Ooseha.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.243
                file.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.243
                28uAna2h01.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.243
                P3oBHu3d3E.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.244
                DHL_AWB_907853880911.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.59
                Pre_Qualification_Doc.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.59
                FT_-_007272023.exeGet hashmaliciousFormBook, NSISDropperBrowse
                • 103.71.154.100
                ACp6pRv2ao.elfGet hashmaliciousMiraiBrowse
                • 103.193.174.196

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Program Files (x86)\Common Files\System\systecv3.exesetup#U67e5#U770b.exeGet hashmaliciousUnknownBrowse
                  C:\Program Files (x86)\Common Files\System\winrdgv3.exesetup#U67e5#U770b.exeGet hashmaliciousUnknownBrowse

                    Created / dropped Files

                    C:\Program Files (x86)\Common Files\System\systecv3.exe

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2421224
                    Entropy (8bit):6.490220533880386
                    Encrypted:false
                    SSDEEP:24576:mrmoCH/siu9xQBvJ4TyKyCdgjBXj0jHy3WBZ3cRDusH192mdoEtPg+61zpw94I25:mhxaM+7g+Kzq4I28/1eKle7mLXyn0Lw
                    MD5:B9E0A7CBD7FDB4D179172DBDD453495A
                    SHA1:7F1B18A2BEE7DEFA6DB4900982FD3311AABED50D
                    SHA-256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
                    SHA-512:720985495B67E87F6ECF62268D7DC8FECDB7C06CF9606CE1A12CE4EA741DD3D46A759420E02EC54BC6E96E49D37A2E19AC307093B1228C01914C8E632A8D373C
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Joe Sandbox View:
                    • Filename: setup#U67e5#U770b.exe, Detection: malicious, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Common Files\System\winrdgv3.exe

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1802728
                    Entropy (8bit):6.520593089987922
                    Encrypted:false
                    SSDEEP:24576:I1iQzjPLwVa0gzIkUeSr18gU9W36RO5TsHKGaXDx0hl:Iz5zISSrqW36I7FXDx0hl
                    MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    SHA1:3E78E87EEFE45F8403E46D94713B6667AEE6D9C9
                    SHA-256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                    SHA-512:693E90DA2581306A1F9BB117142429301C7DC28A8CAF623C4DFC21F735C53C4502E2B58A5EBDBD8C568DFD3393D1687428F1934F4C28B4FC715EB8F856AC02CD
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Joe Sandbox View:
                    • Filename: setup#U67e5#U770b.exe, Detection: malicious, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........................................w......?.....?....3.....Rich...........................PE..L.....lc.................P...................`....@.................................D........................................"..........P...........h0...Q...........i...............................................`...............................text....F.......P.................. ..`.rdata.......`.......`..............@..@.data.......`.......`..............@....rsrc...P............ ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\0

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with CRLF, CR line terminators
                    Category:modified
                    Size (bytes):416
                    Entropy (8bit):4.2129365121397795
                    Encrypted:false
                    SSDEEP:6:ZJocgvCIN2By1sZ23fFMWxRAi2OYOd0Cyp6d0CyxtqX4E8NGN8e:rIN2lcNBrXSQ0Cyp80CyGXB8NGNT
                    MD5:4565896E7782CE2C11EA54223A175415
                    SHA1:B92ECE48B886A3C2D2619CD22F105CB51D6F9917
                    SHA-256:1A6B0335B73ACF1AF1448BDF25889F77C3FC851DD3CA6A608B2566E244BB5BC8
                    SHA-512:21913C1E0BEF7CF218AC5A655197ED361691BE1D4191DE0762FED148D1B2F3159A216617428E0C069CCFBCD2E278D6C56581353075F3F31B5233FD3BBB8F1667
                    Malicious:false
                    Preview:..Deployment Image Servicing and Management tool..Version: 10.0.19041.746....Image File : C:\Users\user\AppData\Local\Temp\System.wim..Image Index : 1..Saving image...[===========================57.0%= ] ...[==========================100.0%==========================] ..Unmounting image...[==========================100.0%==========================] ..The operation completed successfully...

                    C:\Users\user\AppData\Local\Temp\00adcd52-9283-43d0-a14f-f3ed3b4d05ef

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:x86 executable
                    Category:dropped
                    Size (bytes):704
                    Entropy (8bit):3.5728578030546716
                    Encrypted:false
                    SSDEEP:12:Rsw7gl/NtCUVw7Jsw7gl/ERFw7mXyo2zE006SGTVaR7D:2w8NHwqw8EnwKXp7yS5
                    MD5:55068FBE8A91CCAE4A53F2BA839C20DE
                    SHA1:D46991761B96681917A97853ABD659750CAFA822
                    SHA-256:4B112CA40272BE8E4ACBEC70059BE12DD7322AC494501244B920EA52DE6044AE
                    SHA-512:DDFC566DE8DCDAC2716F96846DC6A39BC812A62B70F211488FF8B256535E49B5374FD84FB3951BD68CB3EBC90EED0DB03B062301F1930DD343F554644181F827
                    Malicious:false
                    Preview:H...............................$.......@........... ... ...................$.N........X......................................... ... .....$.....................$.N..............$.......@........... ... ...................$.N........X......................................... ... .....$.....................$.N......h..............................................v.u.....'............................................................ ...............................|..............=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e........... ...............................|.....................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...........

                    C:\Users\user\AppData\Local\Temp\22dc806b-a927-484d-8d56-5320984dde33

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (406), with no line terminators
                    Category:dropped
                    Size (bytes):814
                    Entropy (8bit):3.381266407504656
                    Encrypted:false
                    SSDEEP:24:Q3iXAKMalVE8idpOsGLV+eOsHsGR+pzstdyFdAys:ggjMaX28sGExsHsGEpzsHKNs
                    MD5:F0ECD1412EF28F59932E52F0C856A9B5
                    SHA1:770C3E24F2E78DD0EEB4CD5A8827521963C4894F
                    SHA-256:DD7BF45F567337DC54633A2C2937B77327D40B9C69C55A6D782212EC6201F461
                    SHA-512:148BF130CDAE85272294EBB5B2B4CFED576AC2E4F5F93C5435FC30D05E0D66156FAB1D3493566DF88078A4CFD8EFB468ED3719937E9E82772A65CD7F78F44D36
                    Malicious:false
                    Preview:..<.W.I.M.>.<.T.O.T.A.L.B.Y.T.E.S.>.4.2.2.6.2.7.4.<./.T.O.T.A.L.B.Y.T.E.S.>.<.I.M.A.G.E. .I.N.D.E.X.=.".1.".>.<.N.A.M.E.>.1.<./.N.A.M.E.>.<.D.I.R.C.O.U.N.T.>.0.<./.D.I.R.C.O.U.N.T.>.<.F.I.L.E.C.O.U.N.T.>.2.<./.F.I.L.E.C.O.U.N.T.>.<.T.O.T.A.L.B.Y.T.E.S.>.4.2.2.3.9.5.2.<./.T.O.T.A.L.B.Y.T.E.S.>.<.C.R.E.A.T.I.O.N.T.I.M.E.>.<.H.I.G.H.P.A.R.T.>.0.x.0.1.D.A.A.7.B.E.<./.H.I.G.H.P.A.R.T.>.<.L.O.W.P.A.R.T.>.0.x.E.D.B.3.F.7.E.3.<./.L.O.W.P.A.R.T.>.<./.C.R.E.A.T.I.O.N.T.I.M.E.>.<.L.A.S.T.M.O.D.I.F.I.C.A.T.I.O.N.T.I.M.E.>.<.H.I.G.H.P.A.R.T.>.0.x.0.1.D.A.A.8.C.3.<./.H.I.G.H.P.A.R.T.>.<.L.O.W.P.A.R.T.>.0.x.E.1.9.3.3.0.9.B.<./.L.O.W.P.A.R.T.>.<./.L.A.S.T.M.O.D.I.F.I.C.A.T.I.O.N.T.I.M.E.>.<.H.A.R.D.L.I.N.K.B.Y.T.E.S.>.0.<./.H.A.R.D.L.I.N.K.B.Y.T.E.S.>.<.W.I.M.B.O.O.T.>.0.<./.W.I.M.B.O.O.T.>.<./.I.M.A.G.E.>.<./.W.I.M.>.

                    C:\Users\user\AppData\Local\Temp\2e1d3608-9c04-4d44-a577-4dd26dc04e1b

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\7z.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1163736
                    Entropy (8bit):6.6207610426809005
                    Encrypted:false
                    SSDEEP:24576:p4K5hK124cWKupj+zEgf94/JEo2BXrXNH6YsPfRQuIeCoFkDeK:p4wKYJuN+zEgoJSaNPpQuIeDkDe
                    MD5:3F78C51A0A5CB5E0536FF63EF3D75E11
                    SHA1:557E55064B161841DA857FC6BC6F408963F82E07
                    SHA-256:4200B6B656C3C7B6447A42632451E2402245815ECCD6F9A3BAFF60585FBB0B0F
                    SHA-512:F4B485A27341E8C163C704BEA4624CC3A9C4C8215790F83B290CE59526E0515A3F4A96BB17623A404F42A7B47A05AD6F912D61D6CD7BF6AD370A2004AE7C48FD
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]..V...].~.S...]..W...]..Y...].s.....]...\..].~.....]...V.'.]...W...]..A....].e.^...]..A....].......].:.[...]...Y...].Rich..].........PE..L.....<^...........!.........p......3........................................P......\*....@.........................p...y.......d....0...{...............7.......~......................................................<............................text.............................. ..`.rdata..............................@..@.data...............t..............@....sxdata...... .......z..............@....rsrc....{...0...|...|..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\7z.exe

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):309720
                    Entropy (8bit):6.5933657164977
                    Encrypted:false
                    SSDEEP:6144:fdeUJaXYOMqsGXKdFhLOWtE+Q2UsIEgbbe73aTL/VctpuaLyeUeC:fdRVOsfCyE+QPsIEic3k
                    MD5:36A3807A11DF584777165172C71797EE
                    SHA1:FA588A65041D8947FA98E9507C69E43D11B450D2
                    SHA-256:26D550366491EE0FE14F6CBB67C9BAC55300A04B34E92F973A96D00CEF071E5E
                    SHA-512:8D265CFE5ABCDB6B627414786763B1B7099E8DEE52F79B99E768DFC77995EE1139177C5BC26ABAE219216D0540A3C5DAE9ACA8AABE322D737A0509F94D269779
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................n...............c.......t...n............=..........=9...*.....Rich..........PE..L.....<^.................|...$......FM............@.................................H.....@..................................>..x........................7.......-......................................................$............................text....{.......|.................. ..`.rdata..^...........................@..@.data...P'...P.......:..............@....sxdata..............@..............@....rsrc................B..............@..@.reloc..@6.......8...J..............@..B........................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\833722f7-cd47-4ad9-9371-17645a7b5759

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\9588ae55-652c-4a4b-8966-e6ee5ef236d4

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:x86 executable
                    Category:dropped
                    Size (bytes):704
                    Entropy (8bit):3.5728578030546716
                    Encrypted:false
                    SSDEEP:12:Rsw7gl/NtCUVw7Jsw7gl/ERFw7mXyo2zE006SGTVaR7D:2w8NHwqw8EnwKXp7yS5
                    MD5:55068FBE8A91CCAE4A53F2BA839C20DE
                    SHA1:D46991761B96681917A97853ABD659750CAFA822
                    SHA-256:4B112CA40272BE8E4ACBEC70059BE12DD7322AC494501244B920EA52DE6044AE
                    SHA-512:DDFC566DE8DCDAC2716F96846DC6A39BC812A62B70F211488FF8B256535E49B5374FD84FB3951BD68CB3EBC90EED0DB03B062301F1930DD343F554644181F827
                    Malicious:false
                    Preview:H...............................$.......@........... ... ...................$.N........X......................................... ... .....$.....................$.N..............$.......@........... ... ...................$.N........X......................................... ... .....$.....................$.N......h..............................................v.u.....'............................................................ ...............................|..............=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e........... ...............................|.....................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...........

                    C:\Users\user\AppData\Local\Temp\Config.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Generic INItialization configuration [DrvCeo]
                    Category:dropped
                    Size (bytes):70
                    Entropy (8bit):4.497070968537381
                    Encrypted:false
                    SSDEEP:3:f1AW+DXFBAKV1Kgjy6q3RG/:f1zuFBASAgjy6wi
                    MD5:6DE368531D0C67C2BC1B3A0171A93584
                    SHA1:6C785C65A745D5536FECFA7903E68EFC11480E1D
                    SHA-256:AF8265A7766F14CB49ED3503EDEE7BEA2F8E640B4FBE539324E9F1D46CAFA652
                    SHA-512:2F8FBC626F70389F1F04FE6F40E21FCB6CCDE84147CD530A0DAA81E3454D49F89E44F9EC47B7F47DFDF6C2348D0804F0CE4A9B9BAF76A56F82A34820FFF47E85
                    Malicious:false
                    Preview:[Server]..Host=drvceoup.sysceo.cn..Port=1984..[DrvCeo]..type=netcard..

                    C:\Users\user\AppData\Local\Temp\Download.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):1645
                    Entropy (8bit):5.909461956668875
                    Encrypted:false
                    SSDEEP:48:2/6Ozo7FDVknA9WpYYz5OlwY3KHfy3dH097y7nF:2S0o7FhknmWpY659lHfYH09+7F
                    MD5:C2D04CA7997E87428B9218143525E5EB
                    SHA1:E03FF4F21190CB8BD0250EFC7ABF9F88794CD8E1
                    SHA-256:0AA69253268F6E9F4E1E5775D695E32269662C6BBE41A384C4070634FD26B50C
                    SHA-512:042AE8AAD2008A4421ABB7FB2515D7AE0A884BBFE8AD8F52F71907814D6E15B1BEA79766B13BC6927735DCFC1333D7B599C20E5D4C3D175653564CEF5F034083
                    Malicious:false
                    Preview:.PNG........IHDR..............H-.....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmp:CreateDate="2018-04-18T01:43:51+08:00" xmp:MetadataDate="2018-04-18T01:43:51+08:00" xmp:ModifyDate="2018-04-18T01:43:51+08:00" xmpMM:InstanceID="xmp.iid:9f37837f-dc74-214e-b252-a5ed4cfad703" xmpMM:DocumentID="adobe:docid:photoshop:5b7e6b64-9c32-c344-b3ee-054eb0f6c3f4" xmpMM:OriginalDocumentID="xmp.did:4c63f349-5efd-ae4d-96f4-5e31a4f7d2be" dc:format="image/

                    C:\Users\user\AppData\Local\Temp\Drvceo.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):58
                    Entropy (8bit):4.517042417354859
                    Encrypted:false
                    SSDEEP:3:u3teCJLCWovkJ95iwLoDy:u3tKe95iw6y
                    MD5:9FC5C45BDD7943A750BFB4401C2EC199
                    SHA1:9AC1B05C15D0D4F8401278BC240744A66356AD0E
                    SHA-256:DF2B6032447D99D0A24DF5F751EF87211B1E9F17B2484C41E95B77FE1C234390
                    SHA-512:282EB4A28309123337CE2C6C03D2E6CB39344A7FD526B46A048EA5499AFA16445C34028D3C20B6A6AB0868DBC1645109B986E3D921C7AD7CAF5D4813886251A1
                    Malicious:false
                    Preview:[DrvCeoSet]..ShowMsgBox=off..Autoscan=on..Desktoplnk=off..

                    C:\Users\user\AppData\Local\Temp\LICENSE.electron.txt

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):1096
                    Entropy (8bit):5.13006727705212
                    Encrypted:false
                    SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                    MD5:4D42118D35941E0F664DDDBD83F633C5
                    SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                    SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                    SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                    Malicious:false
                    Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                    C:\Users\user\AppData\Local\Temp\LInstSvr.7z

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:7-zip archive data, version 0.4
                    Category:dropped
                    Size (bytes):4246584
                    Entropy (8bit):7.99995485367236
                    Encrypted:true
                    SSDEEP:98304:aXQiJSPH5rZSbB90qgJLcHYPqYOy0ejQZdYVDehd/:aXQiuBAV9cnPowakC
                    MD5:F362114C214E69EDD8BFA568DDC7ADF1
                    SHA1:BFF8B437CFF93F7FE4B062E231CFFF433B6C905A
                    SHA-256:68662FBEBF87C6B7FF947B54532E5348A2136C6D9A10CBBCFB01FC7567D3D357
                    SHA-512:02363FDEA5A1AB414E59797F59D52180BC6A7D3E8F95907526F9FD5E3ABD35ED9FF9438507133341DC294569BDE4ACE5F52142E22A267D80F7509C7015A18BD2
                    Malicious:false
                    Preview:7z..'.....il..@.....%.......a+...iT.J_.:$.....U....Y..{.....JTf=#...k.!zh.4...'..n..y.....Ux.F6.C.EI..=.j....c&..na.4.w.5.{.\H,.0.vn.rN.mUK.<h..&,.!......6.....U .Yu.G.............I.ZS...$./Z....>0E.'U|._.n\,'..F.W......Ij9..f../.H.p.....i,v.P2Rz...E.I..(...u..OKd..zp.7?-..Y..I.!..W*z....y....c....kG...8[P<....x...~./.%sgq...T..f.. .a......./..\..5.-....P~..0.iW&..+&&./.).|i....Jy...i`....Q..........3.....?.`......0..]D.-/3;|H.-^.k...k.8r..E..'...%...6..'.....+...l.G..........W.C.J....k..E5..L1............>....7I1\......7=n7......J...c..K....G-;|.YB..x..k.N..y.nn.M...\K.`...S)R...M'%.)......-.56*.bc.Um.c. z....s.g...........L...6t.A....zk...6c...pH.9*..qs.^... ...Zs....<..}...W..WE...L....iM.A...3a.^.W..o'.a.....g..J..7...,..#m.wC.:.v.yh..Q..^....)x..._3..q%.G.!..&._.S.B.#a..1x'".t....x...q.[.f...[l.G.6.g|...3.&...=A.z..1..s+.1....f.2gt.y...!..]_.X...*3....H[...^...I..+.....aP..bBJT..K)c.s.i....;i!..+.L...0q.....{K.n...Pw...O..G

                    C:\Users\user\AppData\Local\Temp\Languages\en_us.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):11742
                    Entropy (8bit):3.594077202686223
                    Encrypted:false
                    SSDEEP:192:Rs5/GxyV15WMiSz88XgR3b4RN188cjwkY7taZuOMbfc20ungKFmWTm2i2tcFo:uVTWMHz88X+3SNGjTde0ugL2i2B
                    MD5:A8C3ECD173022692213259D1058E7DEB
                    SHA1:1F7B3D1372D369C0FD09457F38830EBFA592A49E
                    SHA-256:EC84DEAE11AE936AEF6410A23A5B84FE3DC3315D5C537558336CF6979AFBF9F7
                    SHA-512:63D8A5CB3A57FCC0A57176A75E71C465A8A1514E985B7E78182A3E25AAF71ACBF42E763470A11AEAD60B89A7167DD672EF77BEB51EF3A4DAB599A508D1FD8A17
                    Malicious:false
                    Preview:..[.C.o.n.t.r.o.l.].....B.t.n._.D.r.v.M.a.n.a.g.e.r.=.". . . . . . .D.r.i.v.e.r.(.&.D.).".....B.t.n._.T.o.o.l.s.=.". . . .T.o.o.l.s.(.&.T.).".....B.t.n._.D.o.c.t.o.r.=.". . . . . . .S.e.r.v.i.c.e.s.(.&.U.).".....B.t.n._.S.h.o.p.=.". . . . . . .S.h.o.p.(.&.S.).".....B.t.n._.S.c.a.n.=.S.t.a.r.t. .S.c.a.n.(.&.C.).....L.a.b._.S.c.a.n.T.i.p.=.S.t.a.r.t. .S.c.a.n.,.D.r.i.v.e.r. .U.p.d.a.t.e.r.....L.a.b._.L.i.s.t.v._.P.c.n.a.m.e.=.N.a.m.e.....L.a.b._.L.i.s.t.v._.D.r.v.v.e.r.=.F.i.l.e.V.e.r.....L.a.b._.L.i.s.t.v._.D.r.v.d.a.t.e.=.F.i.l.e.D.a.t.e.....L.a.b._.A.g.a.i.n.S.c.a.n.=.A.g.a.i.n. .S.c.a.n.....L.a.b._.S.e.r.r.o.r._.A.g.a.i.n.S.c.a.n.=.R.e.t.r.y.....B.t.n._.S.e.t.u.p.=.I.n.s.t.a.l.l. .A.l.l.(.&.P.).....R.b._.D.c.S.t.a.b.l.e.=.S.t.a.b.l.e.....R.b._.D.c.N.e.w.=.N.e.w.....L.a.b._.P.E.I.t.i.p.1.=.I.n.s.t.a.l.l. .t.o. .t.h.e. .t.a.r.g.e.t. .s.y.s.t.e.m.....L.a.b._.P.E.I.t.i.p.2.=.P.l.e.a.s.e. .s.e.l.e.c.t. .t.h.e. .t.a.r.g.e.t. .s.y.s.t.e.m. .d.r.i.v.e. .l.e.t.t.e.r. .t.o. .l.o.a.d. .t.h.e. .

                    C:\Users\user\AppData\Local\Temp\Languages\zh_cn.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8672
                    Entropy (8bit):5.362574426571773
                    Encrypted:false
                    SSDEEP:192:R9Er87LoXR+/2jUAKtKy1GgTag8kWRjmLz77s0RI+VwfBA9PAKcrSpZ2J72067:wXR+/JAKtFTahU7XInfeuGZ2J72V7
                    MD5:1855EF58C6EA68F97B7B06F934A57066
                    SHA1:C72B1A2E476898DA3B392F21C507DB098E0E7ABA
                    SHA-256:24C7AF10430FB54133E2AD32704E3969B7C65BBE34949287E00585B8751C3D77
                    SHA-512:D40C9178865D83206B248D8DE26EA8D9181A129F26BF57AA4AB27B9421E0BB47C2492B051274A0B203D8F1EEA4571B2F6907A5F5F67C850776E07C031EF9A7A7
                    Malicious:false
                    Preview:..[.C.o.n.t.r.o.l.].....B.t.n._.D.r.v.M.a.n.a.g.e.r.=.". . . . . . .q..R.{.t(.&.D.).".....B.t.n._.T.o.o.l.s.=.". . . ..]wQ.{(.&.T.).".....B.t.n._.D.o.c.t.o.r.=.". . . . . . .5u...@b(.&.U.).".....B.t.n._.S.h.o.p.=.". . . . . . ..[.eFU.W(.&.S.).".....B.t.n._.S.c.a.n.=..zsS.hKm(.&.C.).....L.a.b._.S.c.a.n.T.i.p.=..zsSSO.h...f.elx.Nq..R....L.a.b._.L.i.s.t.v._.P.c.n.a.m.e.=....Y.T.y....L.a.b._.L.i.s.t.v._.D.r.v.v.e.r.=..e.NHr,g....L.a.b._.L.i.s.t.v._.D.r.v.d.a.t.e.=..e.N.e.g....L.a.b._.A.g.a.i.n.S.c.a.n.=...e.hKm....L.a.b._.S.e.r.r.o.r._.A.g.a.i.n.S.c.a.n.=..pdk......B.t.n._.S.e.t.u.p.=..N...[.(.&.P.).....R.b._.D.c.S.t.a.b.l.e.=.3z.[q..R....R.b._.D.c.N.e.w.=..g.eq..R....L.a.b._.P.E.I.t.i.p.1.=.q..R...0R.v.h.|.~!j._....L.a.b._.P.E.I.t.i.p.2.=......b.v.h.|.~.v&{.R}.q..R../e.cS_MRck(W.O(u.v.|.~.TsS.\.r..v.|.~.0....L.a.b._.O.s.D.r.i.v.e.=..|.~.v&{:.....C.b._.D.e.p.l.o.y.L.o.a.d.d.c.=..r..e.R}.....L.a.b._.F.i.x.e.d.D.r.i.v.e.=..V.[.v&{:.....C.b._.S.u.e.f.i.=..QU.E.F.I. .W.i.n.7. .6.4.MO

                    C:\Users\user\AppData\Local\Temp\Languages\zh_hk.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8704
                    Entropy (8bit):5.364919152132083
                    Encrypted:false
                    SSDEEP:192:RgErrhYQVplHC9AGWNiBmpPntFn15Mc/89Ve/BLwX7DaFqJoNB5yJT42k2U:JplHCVWABA5MRDaIoRt2k2U
                    MD5:5F821627DD9440B1B3CE9F7E5DC6DF97
                    SHA1:287B889B6FA622893CA3422124318F4C8FE6AB42
                    SHA-256:231D77CF9FA771D2BECE030C61427B454A51565B21E52B90A5CCE97E1881EFDC
                    SHA-512:8C30D64C77405A2DC1F6D4F9739EE30F190146FD269BBE733C7C92A367D2400A71348BB0363E2A5A8DC171C8168C5956FF77D8E413532CB35EA5957148994969
                    Malicious:false
                    Preview:..[.C.o.n.t.r.o.l.].....B.t.n._.D.r.v.M.a.n.a.g.e.r.=.". . . . . . .E..R.{.t(.&.D.).".....B.t.n._.T.o.o.l.s.=.". . . ..]wQ.{(.&.T.).".....B.t.n._.D.o.c.t.o.r.=.". . . . . . ...f.:.@b(.&.U.).".....B.t.n._.S.h.o.p.=.". . . . . . ..[.eFU.^(.&.S.).".....B.t.n._.S.c.a.n.=..zsS.j,n(.&.C.).....L.a.b._.S.c.a.n.T.i.p.=..zsS.j,n,..f.elx.NE..R....L.a.b._.L.i.s.t.v._.P.c.n.a.m.e.=..n..T1z....L.a.b._.L.i.s.t.v._.D.r.v.v.e.r.=..e.NHr,g....L.a.b._.L.i.s.t.v._.D.r.v.d.a.t.e.=..e.N.e.g....L.a.b._.A.g.a.i.n.S.c.a.n.=...e.j,n....L.a.b._.S.e.r.r.o.r._.A.g.a.i.n.S.c.a.n.=..dk.f.....B.t.n._.S.e.t.u.p.=..Nu..[.(.&.P.).....R.b._.D.c.S.t.a.b.l.e.=.iz.[!j._....R.b._.D.c.N.e.w.=..g.e!j._....L.a.b._.P.E.I.t.i.p.1.=.E..R...0R.v.j.|q}!j._....L.a.b._.P.E.I.t.i.p.2.=..x..d.v.j.|q}.x.v.R..E..R../e.cvuMRck(W.O(u.v.|q}.TsS.\.r..v.|q}.0....L.a.b._.O.s.D.r.i.v.e.=..|q}.v&{:.....C.b._.D.e.p.l.o.y.L.o.a.d.d.c.=..r.Bf.R......L.a.b._.F.i.x.e.d.D.r.i.v.e.=..V.[.v&{:.....C.b._.S.u.e.f.i.=..zlU.E.F.I. .W.i.n.7. .6.4.MO

                    C:\Users\user\AppData\Local\Temp\Languages\zh_tw.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8676
                    Entropy (8bit):5.36831529343714
                    Encrypted:false
                    SSDEEP:192:RgErrhYQVplHC9AGWNiBmpPntFn15Mc/89Ke/BLwX7DaFqJoNB5yJT42k2U:JplHCVWABA5MeDaIoRt2k2U
                    MD5:31218B29837F9DC19061FDEBF9329208
                    SHA1:ABBF111CEC6390FBCA183D3A5326A59867DD8328
                    SHA-256:15E8FE2F222048DACB4C732CEC7B693A80B448E541165FBA315F7276123E89E9
                    SHA-512:A049146A25BC9D783367A692490AAEBD69ABA1BE5611A98D6EEC08A71E07FE4325838720804D9A5E4C627BF6AC3A591F574482A757F9AD7A491D837D65FACB82
                    Malicious:false
                    Preview:..[.C.o.n.t.r.o.l.].....B.t.n._.D.r.v.M.a.n.a.g.e.r.=.". . . . . . .E..R.{.t(.&.D.).".....B.t.n._.T.o.o.l.s.=.". . . ..]wQ.{(.&.T.).".....B.t.n._.D.o.c.t.o.r.=.". . . . . . ...f.:.@b(.&.U.).".....B.t.n._.S.h.o.p.=.". . . . . . ..[.eFU.^(.&.S.).".....B.t.n._.S.c.a.n.=..zsS.j,n(.&.C.).....L.a.b._.S.c.a.n.T.i.p.=..zsS.j,n,..f.elx.NE..R....L.a.b._.L.i.s.t.v._.P.c.n.a.m.e.=..n..T1z....L.a.b._.L.i.s.t.v._.D.r.v.v.e.r.=..e.NHr,g....L.a.b._.L.i.s.t.v._.D.r.v.d.a.t.e.=..e.N.e.g....L.a.b._.A.g.a.i.n.S.c.a.n.=...e.j,n....L.a.b._.S.e.r.r.o.r._.A.g.a.i.n.S.c.a.n.=..dk.f.....B.t.n._.S.e.t.u.p.=..Nu..[.(.&.P.).....R.b._.D.c.S.t.a.b.l.e.=.iz.[!j._....R.b._.D.c.N.e.w.=..g.e!j._....L.a.b._.P.E.I.t.i.p.1.=.E..R...0R.v.j.|q}!j._....L.a.b._.P.E.I.t.i.p.2.=..x..d.v.j.|q}.x.v.R..E..R../e.cvuMRck(W.O(u.v.|q}.TsS.\.r..v.|q}.0....L.a.b._.O.s.D.r.i.v.e.=..|q}.v&{:.....C.b._.D.e.p.l.o.y.L.o.a.d.d.c.=..r.Bf.R......L.a.b._.F.i.x.e.d.D.r.i.v.e.=..V.[.v&{:.....C.b._.S.u.e.f.i.=..zlU.E.F.I. .W.i.n.7. .6.4.MO

                    C:\Users\user\AppData\Local\Temp\System.wim

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Windows imaging (WIM) image v1.13, reparse point fixup
                    Category:dropped
                    Size (bytes):4227088
                    Entropy (8bit):6.509290465216342
                    Encrypted:false
                    SSDEEP:49152:PhxaM+7g+Kzq4I28/1eKle7mLXyn0LLz5zISSrqW36I7FXDx0hz:PhxBJq4I28/1eKlemBz50OWz7W
                    MD5:B84336CF280F1E300D235D1CACB5E662
                    SHA1:E514F3DF7567E67D1C22E5F03CDFF6A779A30CF5
                    SHA-256:BBCDBBA7D0CC2EF19861BA24305BEEBBA5C198BAA1500E2A97BC27FB4B736FEB
                    SHA-512:0EE0C742EBF1BFBFE7485946F18D56BC02E009C2E25BDA160CCE086F1A85B6FCFB72771F58A1698265052C1DBCC29C8070F4CE571B1E9DD76C0AE9086CBA08E1
                    Malicious:false
                    Preview:MSWIM...................ik0...H.k.U.fEe................L|@......................|@.............................................................................................................................MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\System:$WIMMOUNTDATA

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):416
                    Entropy (8bit):3.2595647105004093
                    Encrypted:false
                    SSDEEP:6:OXvVtElVzUEZ+lX1PkROr1GlmVzUEZ+lX1PkR1TlmVzUEZ+lX1MFVEPn+SkuIBaT:uNeQ1Pk01GlGQ1PkzTlGQ1f+rBaKW
                    MD5:DAEFEB0213279B42AFCA0C0290F12E6E
                    SHA1:4DE0A0E19DCFBF279085B95A83BF2737BCCD0C9B
                    SHA-256:597346A6E6BE8F177A1006F0DC63CB8734A2E58BAE7041FCBD760092E860A690
                    SHA-512:D0CCA01603BEEC0FF5D75E6AF096FA573CF6C0CCB837CAFC0FB1B386052285AD47C39BA0A2B6859FCDBAFB3F041212C559316BAD922962CB79EC31464B841FE3
                    Malicious:false
                    Preview:................IQz...AN...R...............Z...C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.S.y.s.t.e.m...w.i.m.............R...C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.S.y.s.t.e.m.............F...C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.........................H...H...........C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.D.I.S.M.\.d.i.s.m...l.o.g...

                    C:\Users\user\AppData\Local\Temp\System\systecv3.exe

                    Download File
                    Process:C:\Windows\System32\wimserv.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2421224
                    Entropy (8bit):6.490220533880386
                    Encrypted:false
                    SSDEEP:24576:mrmoCH/siu9xQBvJ4TyKyCdgjBXj0jHy3WBZ3cRDusH192mdoEtPg+61zpw94I25:mhxaM+7g+Kzq4I28/1eKle7mLXyn0Lw
                    MD5:B9E0A7CBD7FDB4D179172DBDD453495A
                    SHA1:7F1B18A2BEE7DEFA6DB4900982FD3311AABED50D
                    SHA-256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
                    SHA-512:720985495B67E87F6ECF62268D7DC8FECDB7C06CF9606CE1A12CE4EA741DD3D46A759420E02EC54BC6E96E49D37A2E19AC307093B1228C01914C8E632A8D373C
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe

                    Download File
                    Process:C:\Windows\System32\wimserv.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1802728
                    Entropy (8bit):6.520593089987922
                    Encrypted:false
                    SSDEEP:24576:I1iQzjPLwVa0gzIkUeSr18gU9W36RO5TsHKGaXDx0hl:Iz5zISSrqW36I7FXDx0hl
                    MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    SHA1:3E78E87EEFE45F8403E46D94713B6667AEE6D9C9
                    SHA-256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                    SHA-512:693E90DA2581306A1F9BB117142429301C7DC28A8CAF623C4DFC21F735C53C4502E2B58A5EBDBD8C568DFD3393D1687428F1934F4C28B4FC715EB8F856AC02CD
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........................................w......?.....?....3.....Rich...........................PE..L.....lc.................P...................`....@.................................D........................................"..........P...........h0...Q...........i...............................................`...............................text....F.......P.................. ..`.rdata.......`.......`..............@..@.data.......`.......`..............@....rsrc...P............ ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\app_cancel.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 42 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):3939
                    Entropy (8bit):6.4055948873455275
                    Encrypted:false
                    SSDEEP:96:FSFo7FPWlknGbOJqHUfURuFID9AHNf5R5R5R5R5R54xcHoBhHtURHEgIURHtrMWS:FSK7FAknWZHiCCWcIBhN040+WU24zl
                    MD5:A3AFAEE8ED97669174E333565A81A9E0
                    SHA1:04931E0C918FF55D972699525C011731823F5392
                    SHA-256:3132CF46D717DF504C5E9F1CFA2502BE9AA9499C3520A9F245354B6C4664871F
                    SHA-512:93CCEFFF0E8816EB4E4469EB592E6AE444335373ABE1C0209DAA78A90B32C17C83368820DF6FA2CEC213AEABBAEFC55E7BFDA78CDB7CAD20356D28695719B09D
                    Malicious:false
                    Preview:.PNG........IHDR...*.........Y..{....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-27T00:08:05+08:00" xmp:MetadataDate="2023-09-27T00:23:06+08:00" xmp:ModifyDate="2023-09-27T00:23:06+08:00" photoshop:ColorMode="3" dc:format="image/png" xmpMM:InstanceID="xmp.iid:4011951

                    C:\Users\user\AppData\Local\Temp\app_default.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):3603
                    Entropy (8bit):6.495436480868015
                    Encrypted:false
                    SSDEEP:96:SSCo7F8knGLWaOJIDo/y9AEHoTHLHEgAHMPNhmPEN5ci:SSz7F8knETzITrwQxNyi
                    MD5:5FF509D9B2D96AACBBBABC80769C6A6D
                    SHA1:0F03F8C7D841E407B5BAA71E0577D3DBB029076B
                    SHA-256:619FB0C5B3762429AAAFC5C39CDD591313E4C0F4445E93382AAC42BB7C0771D1
                    SHA-512:B0C83BBCC8CAA449D86A1D18301FC32BCC0F85E32298E85F46248D5AA8720547C23899E55F30CC1F5ACC51E548EFBBD7F4BF9ECE26F192F983517130A0B259A2
                    Malicious:false
                    Preview:.PNG........IHDR...0...0.....W.......pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-24T01:13:28+08:00" xmp:MetadataDate="2023-09-24T01:26:11+08:00" xmp:ModifyDate="2023-09-24T01:26:11+08:00" dc:format="image/png" xmpMM:InstanceID="xmp.iid:a8db02eb-2e33-8a4e-b385-4910ef2

                    C:\Users\user\AppData\Local\Temp\app_hotdefault.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 474 x 58, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):8758
                    Entropy (8bit):7.187444546196136
                    Encrypted:false
                    SSDEEP:192:XSo7F8knEegISECD9hrr9rrsIOcyxeGe/tOfHc2:CoNnErCCD9fOcyxrKk
                    MD5:55DACD6A8426DC470758C76A329CC5BA
                    SHA1:A3AB4D47514A3EA86BAB6F788927538F07D7E80D
                    SHA-256:95F036A0A945C167216BB60CFD35FC6A054B99D9AA8850EBA08B83610451132E
                    SHA-512:BB6B79CD6B38665F1FB534070520E01112158C7F02440E056A9A320849EEC95CB316CF7CEF97C0BE7AD8BE64B3608F6EA556AFFB392C33B8DCDA93193EAE406D
                    Malicious:false
                    Preview:.PNG........IHDR.......:............pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-22T15:32:12+08:00" xmp:MetadataDate="2023-09-26T23:46:27+08:00" xmp:ModifyDate="2023-09-26T23:46:27+08:00" dc:format="image/png" xmpMM:InstanceID="xmp.iid:93d59955-6142-e844-8e7b-c117ac7

                    C:\Users\user\AppData\Local\Temp\app_mmove.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 220 x 68, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):2167
                    Entropy (8bit):6.35120679427145
                    Encrypted:false
                    SSDEEP:48:Tu/6+zo7FDs9WlknNJpMr9les35Hoy3MSHzNG4f7KGpoH2fpT:ySEo7FmWlknNJGrimHoPSHzNG0GGpoAl
                    MD5:6EF3DE4295AA07ECEFAD372141458701
                    SHA1:B30FE36B7AAC7A06104F698109F394B6E3ED48D7
                    SHA-256:5CEA0C4246849903C50D43EC80DB8EE3FE9B3091025AC3CA0E5BB6F08C3FB9C2
                    SHA-512:4AF1F2A09F054EAFD197CD1FE9952D7E989EBC0D4DCC543FC6FAE786EEF56F059E657A6415C0D464A9852DB95F1378F4C885C1D7F5C5F5480EC3CFF80D37029C
                    Malicious:false
                    Preview:.PNG........IHDR.......D......o[.....pHYs................oiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-25T17:09:09+08:00" xmp:MetadataDate="2023-09-25T17:09:09+08:00" xmp:ModifyDate="2023-09-25T17:09:09+08:00" xmpMM:InstanceID="xmp.iid:5ef91bb6-9ae0-8841-a2cf-e2a8770dd7c8" xmpMM:DocumentID="adobe:docid:photoshop:cc52a923-9806-ae4e-aa7e-fb18084eba65" xmpMM:OriginalDocumentID="xmp.did:9dbea3b9-d73d-5a40-a062-8e0c853dc8d1" photoshop:Co

                    C:\Users\user\AppData\Local\Temp\app_retry.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 42 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):3838
                    Entropy (8bit):6.337451736858294
                    Encrypted:false
                    SSDEEP:96:FSFo7FPWlknGbOJqHlDuehmxt9AHNf5R5R5R5R5R54xcHoBhHu7zHEg2hPzHZmS7:FSK7FAknWZHl18fCWcIBhO7zmNz5SAx9
                    MD5:3857D1E6C48B9E70EACDBE544788D7D2
                    SHA1:AE200C684D1B127DC579019883EB6DEF28BA384F
                    SHA-256:EFB2F3D9318F61A832CBA5B8C6E3870D2CB8476D5F40157BF2A33648E222889A
                    SHA-512:9A089594D1B7D89AC6125B07E5FF077729E37675F9171A27287CEE3B74126827E1831D49EBB6EEEC226D060B69C31A3D3B8E57E55C83370B36FC8DE1056609C9
                    Malicious:false
                    Preview:.PNG........IHDR...*.........Y..{....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-27T00:08:05+08:00" xmp:MetadataDate="2023-09-27T00:14:43+08:00" xmp:ModifyDate="2023-09-27T00:14:43+08:00" photoshop:ColorMode="3" dc:format="image/png" xmpMM:InstanceID="xmp.iid:89b1c8e

                    C:\Users\user\AppData\Local\Temp\bfb1ea21-1324-4f57-bc1d-434ef4bf806e

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2023_09_22.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):686491
                    Entropy (8bit):4.874047704021639
                    Encrypted:false
                    SSDEEP:1536:UwSiSpSAHST7SSfSLWShnkSTStHseVlfSTSnyEStpnSpnMdSHHS4osNSJYu0ScZd:iPYlnK/3u+ucippS4L8jLNyjQvK6gh0C
                    MD5:D12A658DBA8EDF2CABF6E281DE14F9E4
                    SHA1:178DC57B485E66D36A2A1BAA027B88BE65866EF3
                    SHA-256:F9702EF5A7CA3ADC765E97A55C402237541712C691E3C7C9E7CDF7147338CB0D
                    SHA-512:399060687B9E43CC681CA1FBF515D53115F5E1FDCDAF9D6DB3735BB23C41C7FDDD5A96E69A99972D1737ECA633BD6D0C1E903A31A4CB170A3D9D6C688FC77569
                    Malicious:false
                    Preview:2023-09-22 00:00:03,550: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:13,601: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:23,597: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:26,373: INFO infoCategory : read -1937777048 value from reg err!..2023-09-22 00:00:33,598: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:43,601: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:53,596: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:03,601: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:13,629: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:23,628: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:33,625: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:43,630: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:53,630: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:02:03,628: INFO

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2023_09_23.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):830489
                    Entropy (8bit):5.111941375721001
                    Encrypted:false
                    SSDEEP:1536:6SERUmSiS8SRw2ltS8TKOSB4bSqiSpsSxzeSxHxxZsSCXaUsLSOmf4SThS2SCr8i:HrPtRmddozxPFENMjCJH5kKBavzTW
                    MD5:8AEECE92BE2F1744219AA78BFAE59695
                    SHA1:772A08E56B8EB20CB64C36280F15B56942AD11F5
                    SHA-256:7531C5AADEB6B777A973847792A40F6E179430506B08713B6183BF06CF7186B4
                    SHA-512:37B589D2EF7879E6F6C1A326A65ABF747763F13F2FA4B077A748FE88910FD60EA03C5186DBC856EC6A272F756B2B12C7C6D80AD4962BEECDEA5A3F584E8A891A
                    Malicious:false
                    Preview:2023-09-23 00:00:08,910: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:18,967: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:28,965: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:38,961: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:48,962: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:57,362: INFO infoCategory : read -829432920 value from reg err!..2023-09-23 00:00:58,963: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:08,958: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:18,961: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:28,961: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:38,965: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:48,962: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:58,963: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:02:08,957: INFO

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2023_09_26.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):773551
                    Entropy (8bit):4.93710940998137
                    Encrypted:false
                    SSDEEP:6144:Tyomoeebkb2iJbBBGGdhGacvEG0XyybBgannDTKaJd:/+
                    MD5:B45D621946973D75307685592F93F2A3
                    SHA1:8FDFF9D4BD5E1E224710767C27CE701E25E424C6
                    SHA-256:380AF63A8192A7C1B4A870F993ED66FD2E7B25236FAA3AE553EEC857D7AF302B
                    SHA-512:711CD40EBD8F15C0FDC1F3B74AC84D3D4ECDA283AD5CDEB6D776379553D39841E057BBD80CFD98718078433A31FCDEE5A1234CDC8C345A6B78A4C8F964C469C0
                    Malicious:false
                    Preview:2023-09-26 00:00:07,191: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:17,221: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:27,222: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:37,219: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:43,598: INFO infoCategory : read 1080023848 value from reg err!..2023-09-26 00:00:47,222: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:57,222: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:07,215: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:17,220: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:27,218: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:37,216: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:47,220: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:57,218: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:02:07,217: INFO

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2023_09_27.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):733323
                    Entropy (8bit):4.911194605856627
                    Encrypted:false
                    SSDEEP:6144:Yx4TnlY64qEgEQpvLzfQ2YGq0726g68Zsn:V
                    MD5:35AD706650DEB623156081B37C593CC6
                    SHA1:6CFBEF36FBC23C975866C5F68A791A37670F05B5
                    SHA-256:99881570FEF0DD53E8259052BD19CA3B2D03BFD6E6FDA03E6F112E79A585E74B
                    SHA-512:166DED701231C655A976771D30E082AA460E800C8FC7A2D66BD1E848AECECBD54CDE020E2DC35E26443861BB74097FCFEC533E0B9C6F0A86BD9BFAA1F15AD9A0
                    Malicious:false
                    Preview:2023-09-27 00:00:01,204: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:11,248: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:21,253: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:31,250: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:41,254: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:43,647: INFO infoCategory : read 1080023848 value from reg err!..2023-09-27 00:00:44,189: INFO infoCategory : ServiceStrl SERVICE_CONTROL_SESSIONCHANGE!..2023-09-27 00:00:44,189: INFO infoCategory : Service Control Session Changed begin!! msgid=8..2023-09-27 00:00:51,252: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:01:01,247: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:01:11,250: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:01:21,250: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:01:31,249: INFO infoCategory : CCenterClient sendHeartB

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2024_05_12.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):166494
                    Entropy (8bit):5.119038538693684
                    Encrypted:false
                    SSDEEP:768:/A0UMAVQDdO1UrqTm2+5SRN0KSIkJgSjxP0S+aMGSbKr6SQJv:/A0pO1UrqTm2+5S0KSfgSV0S2GSo6Ss
                    MD5:CA397EE8B595D011C051FFF68BF8537B
                    SHA1:0FE0F5436DF99C4667783F3F7FAFE040C25FED1A
                    SHA-256:C4F36729F404ACFEA633033056D3E36B4F5B33782294ED9B207384ACF80606D3
                    SHA-512:6398A66380F880122A1F93BBE0E9ED7167CC0BC51C8380ED8FEE3A4340674632E4F95358C4AB1AEB35976CFE56FDBE4DFC75EAFC122552B9A728ADDD3CB0F1F1
                    Malicious:false
                    Preview:2024-05-12 05:10:48,087: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2024-05-12 05:10:48,134: INFO infoCategory : CCenterClient doConnect start sock 134.175.254.188..2024-05-12 05:10:48,134: INFO infoCategory : tcp begin connect! address=134.175.254.188 port=443..2024-05-12 05:10:48,134: INFO infoCategory : tcp end connect! ret=-1..2024-05-12 05:10:48,134: INFO infoCategory : tcp connect err! begin select!!..2024-05-12 05:10:52,136: INFO infoCategory : sock connect select err!! errno=0..2024-05-12 05:10:52,136: INFO infoCategory : client create connect to comet !sock_ sock=1256 ip=134.175.254.188 port=443..2024-05-12 05:10:52,198: INFO infoCategory : center client connect err!! sock=1256 ip=134.175.254.188 port=443..2024-05-12 05:10:52,200: INFO infoCategory : CCenterClient run CenterNetState_ConnErr..2024-05-12 05:10:52,215: INFO infoCategory : center client disconnect!! sock=1256..2024-05-12 05:11:14,894: INFO infoCategory : ServiceStrl SERVICE_CONTROL_SESSIONCHANGE

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2024_05_14.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):3178
                    Entropy (8bit):5.18437746651025
                    Encrypted:false
                    SSDEEP:48:zxQU81JT1qo8mjJEJPIPjUYATD7bdgePchvyzMbJcIUJc01JJcL1Jcit89oJBJlf:mt1l/3jq9Iuee8zwd1HIDPoo/jH/
                    MD5:3394C8D979C9B45743A2938A2C12F63C
                    SHA1:D16F767870426280B4BFF430780E6929D32F1540
                    SHA-256:AD0F4F73AFA59D2D908EF01735C256358DBC27DF6CC743D545A6F34F871F82F0
                    SHA-512:53B097516678F306CA956D591C50A5D7E6E69EC2DB6B453816AC18C034A76E3AABFCBB79D59F061EA6EE32BDC67A75AAF9DF505DF50965E9B768210E106B4890
                    Malicious:false
                    Preview:2024-05-14 03:13:38,710: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2024-05-14 03:13:38,754: INFO infoCategory : CCenterClient doConnect start sock 134.175.254.188..2024-05-14 03:13:38,754: INFO infoCategory : tcp begin connect! address=134.175.254.188 port=443..2024-05-14 03:13:38,754: INFO infoCategory : tcp end connect! ret=-1..2024-05-14 03:13:38,754: INFO infoCategory : tcp connect err! begin select!!..2024-05-14 03:13:42,763: INFO infoCategory : sock connect select err!! errno=0..2024-05-14 03:13:42,763: INFO infoCategory : client create connect to comet !sock_ sock=1296 ip=134.175.254.188 port=443..2024-05-14 03:13:42,768: INFO infoCategory : center client connect err!! sock=1296 ip=134.175.254.188 port=443..2024-05-14 03:13:42,783: INFO infoCategory : CCenterClient run CenterNetState_ConnErr..2024-05-14 03:13:42,795: INFO infoCategory : center client disconnect!! sock=1296..2024-05-14 03:13:50,117: INFO infoCategory : ServiceStrl SERVICE_CONTROL_SESSIONCHANGE

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2024_05_15.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):38183
                    Entropy (8bit):5.222123659270451
                    Encrypted:false
                    SSDEEP:384:6fB+INrHOIRyiMYawAAA51cBtMzHB3y2NbhNH7r0Znoxkjq0liAeYZJYNl4fRtSm:2+X1cfGHB3y2TqS9soqSmhaVSCBq
                    MD5:EEE5B18F1D7C1AFAF1AB9DB2F32CA6E9
                    SHA1:5FBFBC71A0E994F22C607F4ED18BA73BC995853F
                    SHA-256:8D73BDAC0935A82F2CCA24EDAD4DB094F4BF25C8425F4F5D3F065E1AFF137E32
                    SHA-512:CF180A805EDE80DD96260EC855B2C2461D298368B0878CAAFFABC1F90F7DF31C30FC037FDD2FC0575491CD173C977CEA1F952390C59A18081E265901535020C9
                    Malicious:false
                    Preview:2024-05-15 00:52:39,896: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2024-05-15 00:52:39,957: INFO infoCategory : CCenterClient doConnect start sock 134.175.254.188..2024-05-15 00:52:39,958: INFO infoCategory : tcp begin connect! address=134.175.254.188 port=443..2024-05-15 00:52:39,958: INFO infoCategory : tcp end connect! ret=-1..2024-05-15 00:52:39,958: INFO infoCategory : tcp connect err! begin select!!..2024-05-15 00:52:43,961: INFO infoCategory : sock connect select err!! errno=0..2024-05-15 00:52:43,961: INFO infoCategory : client create connect to comet !sock_ sock=1260 ip=134.175.254.188 port=443..2024-05-15 00:52:43,972: INFO infoCategory : center client connect err!! sock=1260 ip=134.175.254.188 port=443..2024-05-15 00:52:43,987: INFO infoCategory : CCenterClient run CenterNetState_ConnErr..2024-05-15 00:52:43,992: INFO infoCategory : center client disconnect!! sock=1260..2024-05-15 00:53:00,425: INFO infoCategory : CCenterClient doConnect start sock 134.17

                    C:\Users\user\AppData\Local\Temp\cameramic\sessionphqghume_2023_09_20.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with very long lines (4160), with CRLF line terminators
                    Category:dropped
                    Size (bytes):485118
                    Entropy (8bit):5.323777027767362
                    Encrypted:false
                    SSDEEP:1536:C4uhDwWecxYp8aySPvtPLuAUPpty4+0f1:BBcqlPZa
                    MD5:72AA4E53E767441D334347F003329BCF
                    SHA1:CA1E20806B1967A0A97CB421B961871543195451
                    SHA-256:817E8B2221D34D0D74BC3398489D12CE97934184BA419BA8F3479D3639602EFD
                    SHA-512:5DF5120A696502DCCD5F0EFF56C9D9BFADEC6EA65FDA5B781124450A470BA7D7CB675BB1880E92D7EE64904BF6D1CC7A0752DD3087240EC8AFC2574D415A989E
                    Malicious:false
                    Preview:2023-09-20 19:17:14,051: INFO infoCategory : file path not exist. path:C:\Program Files\ToDesk\ImageResources..2023-09-20 19:17:14,055: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2023-09-20 19:17:14,087: INFO infoCategory : start todesk_session pid = 15180..2023-09-20 19:17:14,089: INFO infoCategory : tcp begin connect! address=127.0.0.1 port=35600..2023-09-20 19:17:14,089: INFO infoCategory : tcp end connect! ret=-1..2023-09-20 19:17:14,089: INFO infoCategory : tcp connect err! begin select!!..2023-09-20 19:17:14,094: INFO infoCategory : sessionconfig privacy_screen_image_url:, privacy_screen_image_md5 : ..2023-09-20 19:17:14,095: INFO infoCategory : gpu infos :[.. {.. "feature" : 21474836485,.. "id" : "8086",.. "name" : "Intel(R) HD Graphics 5500".. }..].., gpu_list :1 client_screenlist:1 sfu:0 use_ext_video:0..2023-09-20 19:17:14,095: INFO infoCategory : licode state:expriment:1 config:1 planb:1 enable_multiscreen:1 datachannel:0 multiscreen:0

                    C:\Users\user\AppData\Local\Temp\cameramic\sessionphqghume_2023_09_21.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with very long lines (4167), with CRLF line terminators
                    Category:dropped
                    Size (bytes):946378
                    Entropy (8bit):5.3348458736268105
                    Encrypted:false
                    SSDEEP:1536:SMmiYjTMVIq7YbYMtYHJrkeSRCm70RJxBp0HCctBHxDmcEaI6h5SUZulwcq/Yxgx:+BjVa0
                    MD5:6AA73BF45D334D3E095C5A9752DA8059
                    SHA1:223FD37CAD90932CCB2A3F147A3C8300F0C70B9A
                    SHA-256:7F65899C602660E16CABD0364739CCF32DA895411E9FC2C0D6BC6580F3715115
                    SHA-512:3F04E36B74E54785E5B006C6BCF6BB2668362360818999DB5A7FAF7886E66F3CF4ABE6029DA0C4205754146D45D47DF96E391529F0972444570456C00CB45E5B
                    Malicious:false
                    Preview:2023-09-21 10:29:27,858: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2023-09-21 10:29:27,873: INFO infoCategory : start todesk_session pid = 3176..2023-09-21 10:29:27,874: INFO infoCategory : tcp begin connect! address=127.0.0.1 port=35600..2023-09-21 10:29:27,875: INFO infoCategory : tcp end connect! ret=-1..2023-09-21 10:29:27,875: INFO infoCategory : tcp connect err! begin select!!..2023-09-21 10:29:27,876: INFO infoCategory : sessionconfig privacy_screen_image_url:, privacy_screen_image_md5 : ..2023-09-21 10:29:27,876: INFO infoCategory : gpu infos :[.. {.. "feature" : 21474836485,.. "id" : "8086",.. "name" : "Intel(R) HD Graphics 5500".. }..].., gpu_list :1 client_screenlist:1 sfu:0 use_ext_video:0..2023-09-21 10:29:27,897: INFO infoCategory : licode state:expriment:1 config:1 planb:1 enable_multiscreen:1 datachannel:0 multiscreen:0 screenid:0 enableSendV2:0 enableLicodeAudio:1..2023-09-21 10:29:27,897: INFO infoCategory : zrtc_config:{"use_p

                    C:\Users\user\AppData\Local\Temp\cameramic\zrtcsessionfircvscx_2023_09_20.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):873827
                    Entropy (8bit):4.301657727027266
                    Encrypted:false
                    SSDEEP:24576:uHdWyFg/RwKLhCFwxH3kRedb7VzzW5UvFHirMBbaZd:c
                    MD5:DD93BC2F2EF179D2ED6F106B330EE294
                    SHA1:7272282FD6B6C1A796866236B4B739CDFC91DBFC
                    SHA-256:2E148A8165C6D5ED4923C9FFDD41D92C4EB318D3B7A1DC95E40025C0CC44AD4A
                    SHA-512:0FB1AE11C0A78C92D0043FA2F7AFDCE308CFED276772377896DD4437B61FC79565A7716835C36C4528346443C9BD0781C4AE42ACE9F3317032C88A4441F15655
                    Malicious:false
                    Preview:2023-09-20 20:22:12,614: INFO ZRTC : ce26993a0b6ee3e1ec7dfdc4fb3e3f148b6eaa7b5e7356273cb1796bfb5971d702469a9cc4c8f81cad38f246324e678d0ed88b6529db2361a26cb932b14290dde172abb467b5a771bef7ef281b7a18e0645c63f9bf926e3d161ccfa1edb5a92e88e3e9c31ee0c6d930b1fa02a1ee5243d994b669335c18befec92ee8ee2ffd1d2078c0818459627a4f7163b213..2023-09-20 20:22:12,621: INFO ZRTC : f5bfd9017d6868406ea3c7f1f28a05f102fd618f8e80dc2a2f81cb7af842d61be62c398a9d833e282e7b653fadac591192883fcfd0e1d2e248fe7629e88cf647381dcf5a326bcf7df27452dbe50c2b71ce3516950cefef65829bf9a9feb6f3010c3c78ef87ae6adc5d4cc486cb03561ab8b45c0046a9090a4b4fc79d64204623b509cd46dcf51c74a0f8c2a1acb8729e33e32c04668a200e5de42fbac204db17..2023-09-20 20:22:12,625: INFO ZRTC : bdeea554d166f145970960cc14e559f7365d4d2b54f6f0709a0d6f4d65b68f0d848818916587b27a2337f073ff56d628f1d1068080f6f701f93e6c4941d192844d6a396a17f6b6c9f4b5ca150e435dc63b28377a3f15913d206ad0d30ab550caaef031fa1fb6470c5e87b82aa3b9e4b213a93b84350e3dee74d05fe8f8c59f5a77a658560d..2023-09-20 20:2

                    C:\Users\user\AppData\Local\Temp\cf438fea-2ef3-4394-9563-816b66bc10e0

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\d37ef516-8223-4430-a7cc-9979a03a32a3

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):150
                    Entropy (8bit):4.475201182365198
                    Encrypted:false
                    SSDEEP:3:Fla1ll/ljM0B1paHG/f/o/g+BCsgYcqBlfJm0xUngsn:C1JUG/Y/g+BVLM0xUgs
                    MD5:ACCAE188E4DFF929C1783C209764BCCC
                    SHA1:70C73301CB300859DD34F668ABB861A5BA370EF1
                    SHA-256:0E305FBA95D7C3490D04F0AD5CCE70AF98E4E7F0F99564EA4FD60040817E23FB
                    SHA-512:7148128093A61993B7FAA7291F8F35343B4BCF437E58E87F5C144177B6E8CF4DD2F183EA6A781A6130F8A85CB32D6028B7AC1794E8116EA2F087987701689B83
                    Malicious:false
                    Preview:.........y@....................i.v..h...xS..Yu..."..$...............$...................m.....3..............$..................>x.~.._...m.q;fg....

                    C:\Users\user\AppData\Local\Temp\fad12352-7d0a-429b-8c04-8fc46cba154e

                    Download File
                    Process:C:\Windows\System32\wimserv.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\id_error.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):436
                    Entropy (8bit):7.132968836552489
                    Encrypted:false
                    SSDEEP:12:6v/7iIL/6T+tDScEXJ1IvxuO3j1+TJymfw2YlN:2/6qO51Ipdj18zI20N
                    MD5:793A8A5B150227B86A2C57F78AC4B191
                    SHA1:9AC5B30B335125A23F0D6D1C4EDC67EAA1E4EC60
                    SHA-256:2E34EFFD8BB007D45F62744D7575B362F5299FD68E8EC24B161386271920AAA2
                    SHA-512:9B64EC5793053782BBEE4721D8047108009745330FD38ADE1C08AD772C05560B22517534C86BECBE59AB7D1B7267E857D07C6C27A58FC82072099DE5C543794D
                    Malicious:false
                    Preview:.PNG........IHDR..............H-.....pHYs................ cHRM..z%..............u0...`..:....o._.F...:IDATx.l..KTQ....}=.V.)BT..._..?.,..U... ...A...E....M....=-.7....s...s.M..Z....M.........xk9...q..j........^........,.....V......ce.7...+..C,t.....E.I...c|(ElO.)0...]..J....../J..3..M..*E\.I':7/...K...U.O!..S[.YZ~ZY.."...._g......oT~W...b....8ig..j..A1..H.W....=...,R........."~a....s....R..7...Cn})..m.....IEND.B`.

                    C:\Users\user\AppData\Local\Temp\id_load.gif

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:GIF image data, version 89a, 14 x 14
                    Category:dropped
                    Size (bytes):3523
                    Entropy (8bit):7.614619712353673
                    Encrypted:false
                    SSDEEP:96:xavXLks8MaUvYAlM6vrHdO0MGGd5tFLwJBMsQeG2ssDW:xaP89UAgTvr80MGGdnFM/MIRK
                    MD5:FBFA413B2696A767E6E45E9CA68F8C05
                    SHA1:ED06B3D6ABED4694FBB01548CB705113104A3FF1
                    SHA-256:EE0E0FE544B1CDFB01DF2C15257935A78A2827FAB8ADA5146C4E9C2A7F7343E0
                    SHA-512:7C0383C8C72AEE8E9FA48E116279E678A42A650367BBE093C51F8058E9B77F733F03B2775CDA093DAD1F18E1FC9181570221CB7E6F65E902B6E8CC639C8DE568
                    Malicious:false
                    Preview:GIF89a.........m............K.~.........d.N...Y.......V..L8.q^.....Q...j.......P}.).f<.tR....t.4.n3.m......&.d].......0.kI.}F.{@.w...X.,.h..y...T..Rc....T.........%.cq...J..................................................................................................................^....................w....v....f...........+.h.......M....:.r...s....B.x...#.b.........7.p[......?.v.........;.s..\..O..T.....W......Z.....z.{......._/.k......p...].._{....b.`.b.M.......A.x...........E.z..............k.C.y...Z.O.2.l..[...................L.....}................l.>.ua.C.x.......A.x...........1.l..1.l...U.W....7.qI.}J.}..S......g.g.g...........................G.|z........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

                    C:\Users\user\AppData\Local\Temp\id_ok.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):557
                    Entropy (8bit):7.267033795446974
                    Encrypted:false
                    SSDEEP:12:6v/7iIL/6Tx+rX4ct5V2iGAqSJ+ESMuY15if4wTqKU1:2/6o9HUiG9SsESMu5f8r1
                    MD5:520F251255D3A5A93C06DF3578434F57
                    SHA1:B1E57A2860FB119F311EED65392BC1F9090F6D6B
                    SHA-256:A6BBC4ECA3DCEB3C3534336BBF0F9D731546BB1D0DB1B7298C241C6DD41EC30D
                    SHA-512:D744528C9C8943437E594B4B618C08B862C091C37DEDF3FFF687B84360136C9B48DBCAB11F6E58E2F83B7891124DF749FCBD5B59F52103EAC3DD054CB69E25CA
                    Malicious:false
                    Preview:.PNG........IHDR..............H-.....pHYs................ cHRM..z%..............u0...`..:....o._.F....IDATx.|..kSQ..?..n..E..A....K.AP.... b[(.@l.(..S..Nn.U.... ....P..[.....*....qH.m3.....s....S.kd2...$p..........V.z.u[.S. .U.N..@.X..0...<{......E.T$=....@.\..9...w...$...F..X....]&( t..r..%!..!f+.I...F....Y.TF......$.;I....1W..af.*q..#..X.<..q...<l...&....}T.."y...@............W......qHj......k....5..-QkvL9......K..C...>..u.....<n.&q"o.m...v.....%+.$M.0.3..z....r@K..,Y.(.....,......"p.X..No{o.....J....I..;....7..f......yn.=.f......IEND.B`.

                    C:\Users\user\AppData\Local\Temp\images\home_banner_1.jpg

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, xresolution=86, yresolution=94, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2023-04-11T13:07:30+08:00], baseline, precision 8, 733x250, components 3
                    Category:dropped
                    Size (bytes):55732
                    Entropy (8bit):7.949431508721036
                    Encrypted:false
                    SSDEEP:1536:Ss3D6gNjGR5ctSTpV3MOa55ml7w/xQHBtyGJwLa3HqiqhPqdH:F+gNW5ctSL3M3xQH5w2UmH
                    MD5:E8CEF6B4CABF2FFEFBD539EB27F4A743
                    SHA1:F97C07AD993E288B5D3B0EF2F35B5B02AD509C51
                    SHA-256:CB613494959F76887EA602E6418C12885BF2494FD0CFA66D14E825A15893AA03
                    SHA-512:8B112C81CD84F7480F347E4AC37E5D6327D954FFAAE44F2F41ED8CBF0D4D5765564D696BB9B23BE608C82D3810F2A066813578806B9E8DEF00AE42B6A7059111
                    Malicious:false
                    Preview:......Exif..II*...............V...........^...(...........1.......f...2...........i...............H.......H.......Adobe Photoshop CS6 (Windows).2023-04-11T13:07:30+08:00...........0220..................................................Ducky.......P......http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmp:CreateDate="2023-01-01T16:54:53+08:00" xmp:ModifyDate="2023-04-11T13:07:30+08:00" xmp:MetadataDate="2023-04-11T13:07:30+08:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:C2C21422D82611ED9728A73C17A3E044" xmpM

                    C:\Users\user\AppData\Local\Temp\images\home_banner_2.jpg

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, xresolution=86, yresolution=94, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2023-04-11T14:10:09+08:00], baseline, precision 8, 733x250, components 3
                    Category:dropped
                    Size (bytes):56195
                    Entropy (8bit):7.953589169354653
                    Encrypted:false
                    SSDEEP:1536:3sDJC5V4/lAoyQ62fovExq7izX1c2VuGTzFLVu:eJuV49KFqoj2kKBs
                    MD5:7A8800F3038CC09838125CE29851B6C2
                    SHA1:F400906FACA9C349BDC5B09CA782B091F83AA4FE
                    SHA-256:332856778FBDB88157ACDEC8D8ED774101D47DA48D4A6888041B08A082584FAB
                    SHA-512:16BD34E9F033F1BA1EF5D12533520C433EE922B77E941C9238F31199837E9ACF58A5C928B228F8562D49743CFAD13A9F026B8C6D2737B3ECEBEB19F864AEFE29
                    Malicious:false
                    Preview:......Exif..II*...............V...........^...(...........1.......f...2...........i...............H.......H.......Adobe Photoshop CS6 (Windows).2023-04-11T14:10:09+08:00...........0220..................................................Ducky.......P......http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmp:CreateDate="2023-01-01T16:56:00+08:00" xmp:ModifyDate="2023-04-11T14:10:09+08:00" xmp:MetadataDate="2023-04-11T14:10:09+08:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:832A983AD82F11EDB2CD87B634D50FC6" xmpM

                    C:\Users\user\AppData\Local\Temp\nodrv.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 157 x 181, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):7146
                    Entropy (8bit):7.938889974526774
                    Encrypted:false
                    SSDEEP:192:VSHIIHUCD4wa2YLLLibLtdl2Yg7jLPPpXsCE:050wdYLLLibRqN7jL3pXTE
                    MD5:D74C43E26FEA60F76644BE3B77AE76D8
                    SHA1:DF2CD4ADD519C36ACEC0C2F66D031545E4F5DCA1
                    SHA-256:4D62C46F974EB4762A91856C09D7C0BABFCFAE1A97E1041470C6A23B6CBE4F9D
                    SHA-512:E5963A438D384A853635D301DBBC5E902F144C888FBA9CB934401C049C9DAFB42FBE6134E1FE3715751A6CC5CF21E3F9FACB193FC242B5044C963EFDD678DE84
                    Malicious:false
                    Preview:.PNG........IHDR.............E.......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

                    C:\Users\user\AppData\Local\Temp\nsr5B38.tmp

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):22744277
                    Entropy (8bit):7.532563826064469
                    Encrypted:false
                    SSDEEP:393216:bHEuWJ6pOy4I2m5/fqo5kCyLZ29ujQ8b3ov0+pI:ge/fqoGdLMUh+G
                    MD5:B4B0AC2B60CFB4AE3F0A085D70A8938E
                    SHA1:B1B67EE3E24933D3771A053BF6D735349384839F
                    SHA-256:DFDBEB945FADF1E50777A73F90C1B1727EE63191554A662139A9187E71EEA11C
                    SHA-512:1D95641FEE1243BAB3AE24CC3740D2B4D30D52DA610CFEF4CC7FF9706A23E04A813621F9DBAE0D516CE1F8F8A5E62FB95000786C225C1C6FB6842186FB3C47E3
                    Malicious:false
                    Preview:.7......,.......,.......\........&.......7.......7..........................\...r...........................................................................................................................................................................................................J...U...........V........................V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.881160720969831
                    Encrypted:false
                    SSDEEP:48:6jOBtU/BXN8kUByyy/Aklkcrkyg7Vg5RibGoTCTo0gqVeeaeQqzM5rv774YRljmB:y/DMy4ncrkyg7tbpQFLUEYRxe
                    MD5:A7CD6206240484C8436C66AFB12BDFBF
                    SHA1:0BB3E24A7EB0A9E5A8EAE06B1C6E7551A7EC9919
                    SHA-256:69AC56D2FDF3C71B766D3CC49B33B36F1287CC2503310811017467DFCB455926
                    SHA-512:B9EE7803301E50A8EC20AB3F87EB9E509EA24D11A69E90005F30C1666ACC4ED0A208BD56E372E2E5C6A6D901D45F04A12427303D74761983593D10B344C79904
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.......................B..........Rich...........PE..L.....F...........!................F........ ...............................P.......................................#..c...x ..<............................@....................................................... ..x............................text...L........................... ..`.rdata..c.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):4.666004851298707
                    Encrypted:false
                    SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                    MD5:FAA7F034B38E729A983965C04CC70FC1
                    SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                    SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                    SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11264
                    Entropy (8bit):5.76003797720627
                    Encrypted:false
                    SSDEEP:192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X
                    MD5:960A5C48E25CF2BCA332E74E11D825C9
                    SHA1:DA35C6816ACE5DAF4C6C1D57B93B09A82ECDC876
                    SHA-256:484F8E9F194ED9016274EF3672B2C52ED5F574FB71D3884EDF3C222B758A75A2
                    SHA-512:CC450179E2D0D56AEE2CCF8163D3882978C4E9C1AA3D3A95875FE9BA9831E07DDFD377111DC67F801FA53B6F468A418F086F1DE7C71E0A5B634E1AE2A67CD3DA
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....f.R...........!................+'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...o........................... ..`.rdata..C....0......."..............@..@.data...h....@.......&..............@....reloc..J....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):5.028908901377071
                    Encrypted:false
                    SSDEEP:96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
                    MD5:51E63A9C5D6D230EF1C421B2ECCD45DC
                    SHA1:C499CDAD5C613D71ED3F7E93360F1BBC5748C45D
                    SHA-256:CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
                    SHA-512:C23D713C3C834B3397C2A199490AED28F28D21F5781205C24DF5E1E32365985C8A55BE58F06979DF09222740FFA51F4DA764EBC3D912CD0C9D56AB6A33CAB522
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....f.R...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...J........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\uvcon.cfg

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):46
                    Entropy (8bit):4.509883902076781
                    Encrypted:false
                    SSDEEP:3:yQmNV/K2PNqEdKRbZJ:DmNJfNqEdKB3
                    MD5:C9CFC92108B39132B5D3070962A32343
                    SHA1:62850E81FECB8891E376CDF672E74728CF478D8F
                    SHA-256:BFEF6DDA690882A584563DB70FB8D42FDC025C22ABF4AF4B974B316ED760CC69
                    SHA-512:F252732CC27A3FE28DBCF96FB7FC4E857DCFE9D6797C941364582FAEFD2695286E88572A2095BB67CA7037B9D8C2FAE005960473AAF9BC364B4328E52500C4BA
                    Malicious:false
                    Preview:[set]..url=http://tongji.sejai.com/drvceo.html

                    C:\Users\user\AppData\Local\Temp\vk_swiftshader_icd.json

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):106
                    Entropy (8bit):4.724752649036734
                    Encrypted:false
                    SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                    MD5:8642DD3A87E2DE6E991FAE08458E302B
                    SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                    SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                    SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                    Malicious:false
                    Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                    C:\Users\user\AppData\Local\Temp\winrdlv3.rar

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:RAR archive data, v5
                    Category:dropped
                    Size (bytes):5687676
                    Entropy (8bit):7.9999699097359125
                    Encrypted:true
                    SSDEEP:98304:OsHa1LFC1iyGl10TaHtYdAPiFpA9pKiG+nVe4GTQNjy9ZkdiV74H0:OsHyLFHN0qtYdAkpA3zETQNjy9Zkb0
                    MD5:6F77D48226214DF8D76CA7800773ED3D
                    SHA1:71208E124F45752241CAC125FE78353EE8819C1D
                    SHA-256:06CE0A505958D76FFCD7909D3ED6E3E9C8B2FA0D21219D92945A21E1F0EA9290
                    SHA-512:3A8372D58831EA671577961320FFB44E1BC4193C91313F15DD9E2B964D347A4319FD7DD6714C36CDD143D409D6695EE9AC8554572DA2262CF38CD9574A71616E
                    Malicious:false
                    Preview:Rar!.....6.3................b_..<......... o..7.;..bakrdgv3.sys0....:...../#.~..#X ..,.D....>2.$=.e..vk..._................@i.B..C.G{.K...Y..c..3..`S.7.........A.\..#=...5FY'Gv.....KR..v..ztd@........_.ml4....Sk..1..*.......Z0...kZ...@.d...Q.}.....(l{WC.73S.......X@....;..e......._....7....I..\..@XWu.B..*o....Q........T...../.n.T..A.vg..t},C#.u.8vT...=^ ......).w.......x.~.kNG...0...~.oplr....1...6.M.{.....'.M>S..L..hO0VCB..q+."..."l"-l..wj...vm....r.F...T.wl.6.B...T....j.. .]P...=.b....X....?U...F....|H...)G.....U..~K{_....,...>.D......Ap.&......^.5...B|.$...<+$...N%....<...abu`..?.<..R....d.Z......_.X....a.H....D.i....li...d;.}.-.k..X.w._.......g....n..T...7cc.vl.jcoI.....7.w9...Oh..\..}.....A..^.*....k..fH..K......3..G.....8...|) ....P....Xy...u]..oB.....l.>..g....3.>.f...\.K..-T0...o.f;..h...k......m..b^..H./S y......S.~.i...g..k.......Yz@$\yrK..........z....s..uIv../.........5.Tv.F~.m.!..kaJ<3.B}x=.....ZG.......U',l.-...k-

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):4.110926983236756
                    Encrypted:false
                    SSDEEP:48:rnsPhyIobhchP+DMgugiKSuPrKCuHJd9axNadRkhchfvm4hVp7udOlk00PKllsu/:E3sicXimrz+dRkiZvVL8W
                    MD5:62705B429DA1526F316D4396624C3E82
                    SHA1:F9CA4424C9ABF61BAEC2E072586E7A0140FF0EFB
                    SHA-256:3D01CCD71906FC37DDAAD08E39F65FCDECECF5503428C68D8E0D727C7B414036
                    SHA-512:361301A7729AED44C8AFF7759ED27FA8E393B33F25502D27F56D963364E7865898A341BD0C9990468AD47BFBCFFAB484F1369F1C6E65273E9DEF336BD9A10788
                    Malicious:false
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\LInstSvr.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):423232
                    Entropy (8bit):6.386717951833311
                    Encrypted:false
                    SSDEEP:6144:XuY705FoAqekD/QTVm0nM9m8uXZxXt2GCYA0t28H9/:12qDYZmsl8uXZxX+f0s85
                    MD5:FB741FCEEB80A76F7F0005A1AC60604A
                    SHA1:A6A8D97365634B266F0B5A001038A5A86B9ED2D6
                    SHA-256:C8BD29C490368EBFC56DC5C951E24AF613F7E5B68A8493240F5EC1AFD9D4A9B1
                    SHA-512:8E43D1A8448828E9EA5FCAC792B95DCB63640EA200CB2D2DFF4902C4CEB6E79A405E0739D293C7CC14BB6EE025089FB9E954BA38E6707B92AC9FE251918BD780
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.....F...F...F...F...Fr..F...F.-.F@..F...F...F...F...F...F...F...Fd..F.-.F...F6..F...FRich...F........PE..L......`................. ...P.......>.......0....@.................................B................................................p..@............@...4...........6...............................................0...............................text............ .................. ..`.rdata......0.......0..............@..@.data............p..................@....rsrc...@....p.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Logs\DISM\dism.log

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (389), with CRLF line terminators
                    Category:modified
                    Size (bytes):124392
                    Entropy (8bit):5.06644534456823
                    Encrypted:false
                    SSDEEP:768:D/MiIzZC4aAM+TRMNMh09JAhQkQLKGQUE00qUCMzmN18Pvzu8/ok6vN5wgvjrmVq:j6h0t1EG4m
                    MD5:AFC47DFCDE43759EA5036A04DAB93D45
                    SHA1:F11E9FEA3EF4D6F14F69E61F1A79E260B521F258
                    SHA-256:02F7002355B2548918CFD72708D95BB06820DB773547B9594E9F2D9F02AD481F
                    SHA-512:F5D892F7990648344FC4CAF8765FBAF62765830B1C790BD2767EBF294F2BDEFEEEB31000F2F5E72F76990B65D7014DF01CD5DDA5785A4A33590CADD5E92A73CE
                    Malicious:false
                    Preview:.[3360] [0x8007007b] FIOReadFileIntoBuffer:(1452): The filename, directory name, or volume label syntax is incorrect...[3360] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)..[3360] [0xc142011c] WIMGetMountedImageHandle:(2906)..[3360] [0x8007007b] FIOReadFileIntoBuffer:(1452): The filename, directory name, or volume label syntax is incorrect...[3360] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)..[3360] [0xc142011c] WIMGetMountedImageHandle:(2906)..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 Temporarily setting the scratch directory. This may be overridden by user later. - CDISMManager::FinalConstruct..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 Scratch directory set to 'C:\Users\jones\AppData\Local\Temp\'. - CDISMManager::put_ScratchDir..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 DismCore.dll version: 6.2.19041.746 - CDISMManager::FinalConstruct..2023-10-03 13:01:57, Info DISM I

                    C:\Windows\Logs\NetSetup\service.0.etl

                    Download File
                    Process:C:\Windows\System32\svchost.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):524288
                    Entropy (8bit):0.3816776445190624
                    Encrypted:false
                    SSDEEP:192:9LAbpm8DmT1xMS92sICkjd0x5AUko5HOLboAcKYzFlgbm/:9LAb/M7mjhRoZO/oAPs
                    MD5:1418EB984CCF72431598B88FD347C207
                    SHA1:236F40D516BB56F5D9B02D2949CED4C7F628F69E
                    SHA-256:E01143A5F8ECA49080A8DE0C401289DFE1C1032399A5DBEF41E2A86BDEFA7D12
                    SHA-512:FC6E452F82BE92723649D1F66C4AD551759141A75285F71D45CC997916302299C724B81701712E4368E7315906F326A6B020F1809017EC45AF38278BC5E412F5
                    Malicious:false
                    Preview:....8...8...........................................!....................................?......................eJ......8,.....Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1...........................................................@K5..............?..............N.e.t.C.f.g.T.r.a.c.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.N.e.t.S.e.t.u.p.\.s.e.r.v.i.c.e...0...e.t.l.........P.P..........?..................................................................8.B..?......19041.1.amd64fre.vb_release.191206-1406.....7.@..?.......I.[.8+m.!N8$......NetSetupEngine.pdb......4.@..?......].*;..y.q...2......NetSetupApi.pdb.db......5.@..?...........V.$$d...~. ....NetSetupShim.pdb........7.@..?.......-0...j.;B..p.)....NetSetupEngine.pdb......4.@..?.........>*.....Nr8..a....NetSetupApi.pdb.........4.@..?.........E_iC...F........NetSetupSvc.pdb.............................................

                    C:\Windows\SysWOW64\AgentTask\AgentTaskList.dat

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32
                    Entropy (8bit):4.04595859334435
                    Encrypted:false
                    SSDEEP:3:J+uI2x9vYg0n:Jn1/0n
                    MD5:84606A6FE79BE410CAB5F652068C4046
                    SHA1:0E1C56DC7025B9CA6EF3C09B9B56306B86CA71C7
                    SHA-256:D3106A9A2105A843AFDA5712D5C975B4093AE4511F99C876077D18FDA8A81A49
                    SHA-512:71293DA5BC9A71EB2B439586354B24AEC258A3E69DE284278EE2AA45837C6EC3564607169C30D157C0359A70A0C0078D3B576A17DDD1DF3F936912F5599F6D40
                    Malicious:false
                    Preview:#.......9( ....c.lVJ.......P....

                    C:\Windows\SysWOW64\OAgent.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (1991), with CRLF line terminators
                    Category:dropped
                    Size (bytes):11832
                    Entropy (8bit):2.667175001041187
                    Encrypted:false
                    SSDEEP:96:reFsNfzGu/FVbKE8jk2mpPTL1okyW3A9LNH6DxhJiI+JCzap5T0aecdy1:CFstzhvbKE8ihH1RyWA5NHAh3vaThnI1
                    MD5:93862F2D227A9EA9435CDE8FE66FE9D8
                    SHA1:583F6E6EB1B2E4832B627F59A604CFA0EF90085E
                    SHA-256:512B10127437CFE82E5B2D61D17FD28DFD8B66B1951D8129E38974CFC6ED68F8
                    SHA-512:2C23D6E4673CAA8B54B923C685A2E1F6BD15F125F40B84C58A1C7EB9448CCB9C10C4375A4E10F5371D259C4A91CCD49922F55CAF3D94EDF1352676760BEFFFAC
                    Malicious:false
                    Preview:..[.A.g.e.n.t.I.n.f.o.].....A.g.e.n.t.G.U.I.D.=.5.A.7.3.C.1.2.1.-.E.0.0.6.-.4.8.0.B.-.9.E.B.9.-.C.C.D.D.7.9.0.0.1.4.7.E.....A.g.e.n.t.I.D.T.i.m.e.C.o.u.n.t.e.r.=.B.4.0.0.0.0.0.0.....D.y.n.a.m.i.c.I.d.e.n.t.i.f.y.I.D.=.C.B.A.F.9.5.A.4.-.1.E.F.A.-.4.5.0.C.-.9.1.C.A.-.A.2.6.C.3.3.7.1.5.8.5.9.....[.A.g.e.n.t.C.o.n.f.i.g.].....A.I.D.=.0.1.0.0.0.1.0.0.....G.I.D.=.E.7.0.3.0.0.0.0.....S.I.P.=.5.9.3.0.7.D.2.D.....I.n.s.t.a.l.l.T.i.m.e.=.B.3.A.D.5.2.2.2.2.0.2.E.E.6.4.0.....O.U.T.O.F.L.I.C.E.N.S.E.2.=.0.1.0.0.0.0.0.0.....O.U.T.O.F.L.I.C.E.N.S.E.3.=.0.1.0.0.0.0.0.0.....O.U.T.O.F.L.I.C.E.N.S.E.4.=.0.1.0.0.0.0.0.0.....S.I.P.S.I.D.=.F.F.F.F.F.F.F.F.....S.N.a.m.e.S.I.D.=.F.F.F.F.F.F.F.F.....S.S.A.S.N.=.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.....A.I.D.I.n.f.o.2.=.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.0.0.0.0.0.0.0.2.0.0.0.

                    C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32
                    Entropy (8bit):3.98345859334435
                    Encrypted:false
                    SSDEEP:3:J+qMetqRurt:JjMs/Z
                    MD5:34C1292AE0E2555C7E909CF4CB826055
                    SHA1:F3ACF6E789B9FD5836675EA5D943F8655ED3094B
                    SHA-256:565A6F3AC1C240C8FD6EBD10ECABD9D03E3CF70E0F53C13071192FA572BC6F88
                    SHA-512:8A7D8469DE547F92B7F8FFBAF2EDDE4BBDE0E7915450D2291BBB5793FCE077B4C68C94A2CA9F4DA00F9B7A7B12AC613CED649D341F4941F84DC7D0CFBEDE784F
                    Malicious:false
                    Preview:#.......=..r.@8.H..J..[Yt..l....

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_1_3_41

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):120
                    Entropy (8bit):3.9611859352069896
                    Encrypted:false
                    SSDEEP:3:bZB8vbdwRWxIIu4llB7OclAlDLqRI/lll:bZKvuRWuIH/BKcalDmK/
                    MD5:E4403A550F755E27A8C483C39EA6D9F0
                    SHA1:E077AC2BE5ED9BFCC28A064E51D58406DC7AE01B
                    SHA-256:649DE8F83423EBF83309E7871AFDA2188FB2879DE4232C4F9904D4917C399828
                    SHA-512:1CA461DEA7807F8738073748C94F74A2B7C2CADE0E29CD833BF0B0DBF362D1B2F7E3860EBC3481A669CA8137F0185FE1F03CC9CCF5A5A90AE7B4367E4CBDD2BD
                    Malicious:false
                    Preview:@..J..@l.T:......b.x..w...k.Pp.T..........(.E(.............................U.W.F.P.r.i.v.i.l.e.g.e.S.e.t.t.i.n.g.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_2_3_18467

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):112
                    Entropy (8bit):4.039064029711979
                    Encrypted:false
                    SSDEEP:3:bZB8vPu9P9D/lheW9Xa/5O3+l5hl:bZKvPu91LqwYh
                    MD5:3E6654008079C90B2D4F5453A91CEB1E
                    SHA1:0FC96EB72C2533D94AB4DD82A3540AB0D925CA33
                    SHA-256:B05C61543AD5DD634160CA43BDD0F53800FBEEC5E1B672617B8A4DFC249758E9
                    SHA-512:053E025D11D99AB7BED901CB45F862E2FD6D7E25EFFE96D100F70C0FE996A4AFB47443964D542C50CA210685E56B087C11E91FEF520421B87349C321B9351B95
                    Malicious:false
                    Preview:@..J..@l.T:.......[.y...*AC@.L..........9.s.;.2.........................U.W.F.P.o.l.i.c.y.C.o.n.f.i.g.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_3_3_6334

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):114
                    Entropy (8bit):4.113165628702379
                    Encrypted:false
                    SSDEEP:3:bZB8v/JObClX+4VU+DW7LXMRsyQsh/:bZKv/J8/4VnDWsqyQY/
                    MD5:867793F065C24188DAAC967349506A31
                    SHA1:F9A23F96651B972702437953273A7448BDF50CBC
                    SHA-256:C925E41CF141167DD3EB1F31F3A10DA3C4B2DA84F445CF44CD8F65B887D2768B
                    SHA-512:11A1D723749CEEEC4E6317ACEC7C02814712C9AA01094D60ED1C752B8C88E73A07B920A914A89CDAF7BB2720D19B083DEB1FD29488F9563DA4A48FE9265254E8
                    Malicious:false
                    Preview:@..J..@l.T:...........I;'.F..`.N.........&....q..R.........................U.W.F.C.u.r.r.e.n.t.S.t.a.t.u.s.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886562_4_3_26500

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):108
                    Entropy (8bit):4.19161817311922
                    Encrypted:false
                    SSDEEP:3:bZB8vVkLvr0//Zl/l5GlneEQsh/:bZKvV6r0bKlneEQY/
                    MD5:2A05153B81754931059A1DCDD3EF9176
                    SHA1:D23C72C87BFF3DFE247FF1054418C5597D530105
                    SHA-256:18816C44067A97ADF28538DAEF17736BB2190F4502C9DF64AB0A87E6828D225C
                    SHA-512:3811022A36E65370173C132E51B1B51B5AAD23B58388CF5A788EF93759D4EDE19E69596BC422F8873704F4ADD7D0D4395A245B059777F7977D128500FCAA9E9F
                    Malicious:false
                    Preview:@..J..@l.T:.....j..]"{[..&.9;..H........... .!A............................U.W.F.N.e.x.t.S.t.a.t.u.s.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_10_4890750_1_3_41

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):84
                    Entropy (8bit):4.42629228747888
                    Encrypted:false
                    SSDEEP:3:vw7vXbkR/XE8+JMolZOclAlDLqRI/lll:vw7vXAZXV22calDmK/
                    MD5:C6AFB1789085A3AB4BD2AABB7582F6A2
                    SHA1:509D4E73B9343793216F0C528FC56FE357C6FB02
                    SHA-256:AB2C78442B8BE2EAE2C04211D1DFC1BC1BDD6B5C83206C4503E1CE4733B8E25F
                    SHA-512:7941BA804BA263E0D05B9561CD3E850E17FB86477BF6F9D0A1EDEDBF4020D0E058A3BB4A1239B95B50C7DE01C5EAC96759A43CDD73F3B2D0E9B87CDBC468CB20
                    Malicious:false
                    Preview:...U7.C..mS.....SZ..W3hL%..D.0.......U.W.F.P.r.i.v.i.l.e.g.e.S.e.t.t.i.n.g.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_12_4892671_3_3_18467

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):76
                    Entropy (8bit):4.516267253592337
                    Encrypted:false
                    SSDEEP:3:vw7vXgwU3/q6ZO3+l5hl:vw7vX1UPyYh
                    MD5:47E5E2E3A4CC5B31309A66C65B1EEF68
                    SHA1:B23B22E6692B39F7C8951930BDB06AFC7961993B
                    SHA-256:6F2443E96CA9C7B34F2CA22B4D7F9AE2A94B422BB2FF5C1B4F46F0C1E115B389
                    SHA-512:CF926347CFADA8A86E320157FF0F8ABB1A690A4450A62CE7A80577A12E29541A4AB2B843A9EA6033637029DE9FB23D873D01F4E11F3B719D50C10E8C9EDC8AF0
                    Malicious:false
                    Preview:...U7.C..mS.....h.33....U...C(.......U.W.F.P.o.l.i.c.y.C.o.n.f.i.g.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_14_4895046_5_3_6334

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):78
                    Entropy (8bit):4.521220427212312
                    Encrypted:false
                    SSDEEP:3:vw7vXY41ql3olZLXMRsyQsh/:vw7vXx1qfqyQY/
                    MD5:14EF11E142901355611F1125FF7A1464
                    SHA1:E3D03588ED9A40FFFC2016AE026E6F82BE06B497
                    SHA-256:8CE2AF761313038D42651CCE0D5D42D6D05DB6EF6C352F5047B3DDA138AC77C9
                    SHA-512:42AFBB594B862F5E0F7911E96359BC4EE748ADB8A6ACAD73C8B7124AF538346238E8796570FA6E810BBC147AF1F00B71A96E3026B144ED5297A5390FEA523BB2
                    Malicious:false
                    Preview:...U7.C..mS....6.%.N..r.;...*.......U.W.F.C.u.r.r.e.n.t.S.t.a.t.u.s.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_16_4897140_7_3_26500

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):72
                    Entropy (8bit):4.602391902661978
                    Encrypted:false
                    SSDEEP:3:vw7vXzKoAELTllZGlneEQsh/:vw7vX+oAEXlilneEQY/
                    MD5:DDE7C6F81CFB6AA4091156BD0B69008A
                    SHA1:6134397B79990AB4D6707AD299B8D031A8D82F4E
                    SHA-256:1BECADDF6DC7E897C561D77D31AE890B30F03FB3FBB489C99937BBEFA1E25536
                    SHA-512:1F733D03A7822343A8C9B1278EE16B7E24D66B6F18BBCCF57AD7852B35094B25BE38FE7443086DADF438F7F96AFA0B9CD1266283141C7B8D21452C13F5051E66
                    Malicious:false
                    Preview:...U7.C..mS....Af..9Ko.n$j.<l.$.......U.W.F.N.e.x.t.S.t.a.t.u.s.......

                    C:\Windows\SysWOW64\Ocular\OAgent.ini

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (1863), with CRLF line terminators
                    Category:dropped
                    Size (bytes):10902
                    Entropy (8bit):2.6693479707079604
                    Encrypted:false
                    SSDEEP:96:rK34o6/nvtY/MDEg9COaFlaKNx5fl89MksbCMasa3gsVxbgLq6DTr:23onF4MDxUlaKN/fl89nsbHasyx7bglr
                    MD5:8248706A449F328F71B5EFBD5975B4D3
                    SHA1:12794F83D7E127AF81F4B740F816F10FC325BCD5
                    SHA-256:BD04D4903E0DC2329ACD78E80060CED6CE0E98D803AF6908967E9646C8D5A38F
                    SHA-512:6D90116FCAFE23FAAD700763767747317941D41ED7F445ABB3C365C79DEBDB9C08139075713DA7F4EB6AB05FE508AF396E52E50CF45DAE9B6EBF52A8BBD0375F
                    Malicious:false
                    Preview:..[.A.g.e.n.t.I.n.f.o.].....A.g.e.n.t.G.U.I.D.=.9.D.2.4.1.D.B.6.-.1.0.9.0.-.4.F.C.5.-.8.1.9.A.-.8.A.6.9.2.3.7.E.6.7.E.0.....A.g.e.n.t.I.D.T.i.m.e.C.o.u.n.t.e.r.=.0.3.0.0.0.0.0.0.....D.y.n.a.m.i.c.I.d.e.n.t.i.f.y.I.D.=.7.3.4.7.D.3.8.9.-.C.5.E.B.-.4.E.0.C.-.A.F.D.E.-.1.9.E.8.0.5.1.C.9.A.9.1.....[.A.g.e.n.t.I.d.e.n.t.i.f.y.C.o.n.f.i.g.].....A.G.E.N.T.I.D.E.N.T.I.F.Y.I.T.E.M.3.=.0.1.0.0.0.1.0.0.B.6.1.D.2.4.9.D.9.0.1.0.C.5.4.F.8.1.9.A.8.A.6.9.2.3.7.E.6.7.E.0.0.A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.0.0.6.5.8.7.4.C.8.0.0.A.0.6.0.A.0.0.0.1.0.0.0.0.0.0.5.7.0.0.6.9.0.0.6.E.0.0.6.4.0.0.6.F.0.0.7.7.0.0.7.3.0.0.2.0.0.0.3.1.0.0.3.0.0.0.0.0.0.0.3.3.0.0.3.6.0.0.3.7.0.0.3.7.0.0.3.0.0.0.3.6.0.0.0.0.0.0.4.3.0.0.3.A.0.0.5.C.0.0.5.7.0.0.6.9.0.0.6.E.0.0.6.4.0.0.6.F.0.0.7.7.0.0.7.3.0.0.0.0.0.0.0.0.0.0.E.C.F.4.B.B.4.5.F.6.9.F.....A.G.E.N.T.I.N.F.O.I.T.E.M._.2.=.A.4.0.0.0.1.0.0.0.6.0.0.0.0.0.0.0.B.0.2.A.8.C.0.0.0.0.0.0.0.0.0.D.2.2.7.7.D.D.2.B.C.2.E.E.6.4.0.0.0.0.0.0.4.0.0.0.D.0.0.0.0.0.0.0.0.0.0.0.4.0.0.0.

                    C:\Windows\SysWOW64\Ocular\OPolicy.ini

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (3082), with CRLF line terminators
                    Category:modified
                    Size (bytes):13900
                    Entropy (8bit):2.313683551111372
                    Encrypted:false
                    SSDEEP:192:wYdWwousLMcIf8475rVLRguQiMd4zgh2gbl+zcxxAXV:wYn755LS7gclMy4V
                    MD5:418A54408BA9A205BF610B3D988079BF
                    SHA1:0E2D1271F8DE82A53692384339BA5C1872356AAA
                    SHA-256:E0F521EA253882C42BE62D13278ADBADDBE067BE39918341DB5041A65F7F8C5B
                    SHA-512:2519525C927E082ACFA1EC32AC32B4D409B6595B888D260BBD20D2DEA1A374B080794748CC36692D6EE989DD4D512754FAB7654EAF9919F6388D2DB798FDEB41
                    Malicious:false
                    Preview:..[.S.n.a.p.s.h.o.t.P.o.l.i.c.y.]....._._.L.o.c.a.l._._.=.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.

                    C:\Windows\SysWOW64\Ocular\msagentclass.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):116
                    Entropy (8bit):1.9437713370940948
                    Encrypted:false
                    SSDEEP:3:ywXVlv5l/5xW/2xW/0+l3b/Ykl/x+ln:9X5l/a/2xW/0+d/Ykl/Yln
                    MD5:0FEC84C804C35A414109AFA8A3FABFBE
                    SHA1:1282D2523FFCE262FDB4B4FD956BEBD92DDF4CCC
                    SHA-256:F2E8923890920AB98AF65E064100C9AA16265444050A850DEA123F393D33709B
                    SHA-512:6CB98299345C2509E1A7B78C2BDF6C73D85954E2ACF78B43DE731AED44A97F33B6EF60CDA61F4B78C84EDADF2162EA096A49449AAD6E90359DBEC331904461B5
                    Malicious:false
                    Preview:TS..O8C3................................................REC.........REC.........REC.........REC.........REC.........

                    C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat (copy)

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):68
                    Entropy (8bit):1.4879933542381731
                    Encrypted:false
                    SSDEEP:3:y+klt/9lv5CS/l/:RkX5Xl/
                    MD5:B2A694142B2B98F1C5B41F6D28D02CE6
                    SHA1:547CE4E42BBE81A358D6866A1A5B194EE2D5720E
                    SHA-256:21F56710A7667C48FD5993A2B42AEEE519527BFD36075BA0A11DFC0BEC583F0E
                    SHA-512:6CDB6417BA0AD61AA13FE9E27E33BBB4EA29DA37969459A9EF5ED054C2822139DDA1E7C2F00FBA5D43683DDC7603546FA610E813C9F76DC34067D3CCE7A14E9C
                    Malicious:false
                    Preview:TS..OWUA................................................REC.........

                    C:\Windows\SysWOW64\Ocular\msmailboxcalss_cache.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):68
                    Entropy (8bit):1.4879933542381731
                    Encrypted:false
                    SSDEEP:3:y+klt/9lv5CS/l/:RkX5Xl/
                    MD5:B2A694142B2B98F1C5B41F6D28D02CE6
                    SHA1:547CE4E42BBE81A358D6866A1A5B194EE2D5720E
                    SHA-256:21F56710A7667C48FD5993A2B42AEEE519527BFD36075BA0A11DFC0BEC583F0E
                    SHA-512:6CDB6417BA0AD61AA13FE9E27E33BBB4EA29DA37969459A9EF5ED054C2822139DDA1E7C2F00FBA5D43683DDC7603546FA610E813C9F76DC34067D3CCE7A14E9C
                    Malicious:false
                    Preview:TS..OWUA................................................REC.........

                    C:\Windows\SysWOW64\Ocular\msmailboxidentify.dat (copy)

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):56
                    Entropy (8bit):1.1454678501138729
                    Encrypted:false
                    SSDEEP:3:y+ml//l9ln:Rm1
                    MD5:BF777B127EE66875E2B08174B00BBC07
                    SHA1:02EF38EB3FAD07CC2E795E33DAE9AD44CC1DE976
                    SHA-256:35C1AB113184120707B157D06E26AE834A48914EA0E313EA74EFDEBC7BA2E059
                    SHA-512:5F03FB5D7D8A3286452DC9D71E0F8369835C172C2179CA94FC81DDDEEB9F17F4404AEB2EA3C483809111CBE3F8741AD2C513A239E303B09F46E0230EC926DB07
                    Malicious:false
                    Preview:TS..OWUC................................................

                    C:\Windows\SysWOW64\Ocular\msmailboxidentify_cache.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):56
                    Entropy (8bit):1.1454678501138729
                    Encrypted:false
                    SSDEEP:3:y+ml//l9ln:Rm1
                    MD5:BF777B127EE66875E2B08174B00BBC07
                    SHA1:02EF38EB3FAD07CC2E795E33DAE9AD44CC1DE976
                    SHA-256:35C1AB113184120707B157D06E26AE834A48914EA0E313EA74EFDEBC7BA2E059
                    SHA-512:5F03FB5D7D8A3286452DC9D71E0F8369835C172C2179CA94FC81DDDEEB9F17F4404AEB2EA3C483809111CBE3F8741AD2C513A239E303B09F46E0230EC926DB07
                    Malicious:false
                    Preview:TS..OWUC................................................

                    C:\Windows\SysWOW64\Ocular\msodhash3.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6440
                    Entropy (8bit):2.703437557196804
                    Encrypted:false
                    SSDEEP:48:O/B+9B/ky/oUlCF//64xmxQ3Nm/zF0ivFz2WF:O/BUWy/5e//647OPF
                    MD5:01BA7A1E3DDF180EFADB2912C76015F2
                    SHA1:0E7B694453C862C1756092FD0BC9FE51281E3AC7
                    SHA-256:8EE4BEC263EA8F8BA4E6DAB92DC83EAD34BE842C3CA5B3CBFAD8B162FFA61862
                    SHA-512:774FA7A601B3ACDC41AA346F790C81AE9055FAC0323D4F36DAB070926F4B92C64E8389CFC625B7424D37F2D26985B9300E71C6D58D672223398B14F7EC09F62E
                    Malicious:false
                    Preview:TS..ODH3................@.......................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................

                    C:\Windows\SysWOW64\bakrdgv3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1802728
                    Entropy (8bit):6.520593089987922
                    Encrypted:false
                    SSDEEP:24576:I1iQzjPLwVa0gzIkUeSr18gU9W36RO5TsHKGaXDx0hl:Iz5zISSrqW36I7FXDx0hl
                    MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    SHA1:3E78E87EEFE45F8403E46D94713B6667AEE6D9C9
                    SHA-256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                    SHA-512:693E90DA2581306A1F9BB117142429301C7DC28A8CAF623C4DFC21F735C53C4502E2B58A5EBDBD8C568DFD3393D1687428F1934F4C28B4FC715EB8F856AC02CD
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........................................w......?.....?....3.....Rich...........................PE..L.....lc.................P...................`....@.................................D........................................"..........P...........h0...Q...........i...............................................`...............................text....F.......P.................. ..`.rdata.......`.......`..............@..@.data.......`.......`..............@....rsrc...P............ ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\bakstec3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2421224
                    Entropy (8bit):6.490220533880386
                    Encrypted:false
                    SSDEEP:24576:mrmoCH/siu9xQBvJ4TyKyCdgjBXj0jHy3WBZ3cRDusH192mdoEtPg+61zpw94I25:mhxaM+7g+Kzq4I28/1eKle7mLXyn0Lw
                    MD5:B9E0A7CBD7FDB4D179172DBDD453495A
                    SHA1:7F1B18A2BEE7DEFA6DB4900982FD3311AABED50D
                    SHA-256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
                    SHA-512:720985495B67E87F6ECF62268D7DC8FECDB7C06CF9606CE1A12CE4EA741DD3D46A759420E02EC54BC6E96E49D37A2E19AC307093B1228C01914C8E632A8D373C
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\msodhash3.dat

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6440
                    Entropy (8bit):2.611395388334064
                    Encrypted:false
                    SSDEEP:48:O/BO1h/kK/coy/cR/dLCk5o4cw3nq84rubl6yxU3pK/6LIOqSb4l:O/Bs2K/Ry/kLfRY3p57zo
                    MD5:4833D1B03D03DDCCA0F0CF5DD8DA3B30
                    SHA1:7B024506119792C930D3C124B5C657EF39621A02
                    SHA-256:7C14B529CC521CBE9B74DC4E4B6389A6B49BEEBE1E68E9F3AD377A3C6124CA7C
                    SHA-512:045503A09EB069AE3C3618EA0AA31FA8E08AD69F34B231C50BB5B8053C6E470BBAD783D9B99C3458EECBAB4B6DC18A7EB47C003DA58E0F1D9ACFEB77F16EEAD7
                    Malicious:false
                    Preview:TS..ODH3................@.......................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................

                    C:\Windows\SysWOW64\winoav3.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14361064
                    Entropy (8bit):6.500004536427748
                    Encrypted:false
                    SSDEEP:196608:SPDuLJR9PL40/Rau8ik8lqRls5lzrZVlV03gHn4rj/L:vt8MYRlsDppf4rDL
                    MD5:3AE42CB8A028C5BE3F57575342BBB56D
                    SHA1:2939396B9069D4B46FEBC047B13CE2C30DE7E886
                    SHA-256:0E0EFB65F52F8AE90F1227AAFDDB1BD23803229497FC82C5C458C8D6EB83A609
                    SHA-512:F4E5C0FF991FC907049171F8BC0AC763462E081B411547A3B24F7D57B51A73FB2C3D0A8DAF5CCCB0DDD8970ED5C81BAF3A2C8E5B22EB3CCDC672A1E1AA01AE24
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Windows\SysWOW64\winoav3.dll, Author: Joe Security
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........j...9...9...9<..9...9.<.9...9...9...9...9...9...9...9Z..9...9...9...9W..9...9.8.9:..9<..9...9...9...9...9...9.8.9}..9...9...9+>.9...9Rich...9................PE..L...?i.c...........!..........I.....+.e..............................................................................Y...............P.............h....Q..........0...................................................(............................text............................... ..`.rdata...J.......P..................@..@.data.....+..`....$..`..............@....rsrc.......P.......`..............@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\winrdlv3.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):58640
                    Entropy (8bit):4.987085254759881
                    Encrypted:false
                    SSDEEP:768:aYNaVzGJ6dKwFGeThZF1oGPh4xFn2MpDGNxvTp23+zjo1:aEaVzGvwFGefoGyjcM0o1
                    MD5:0CBEB75D3090054817EA4DF0773AFE35
                    SHA1:58C543A84DC18E21D86AD2C011D8AC726867FB78
                    SHA-256:453E2290939078C070E46896B2D991F31D295BBC1C63059B10F3C24CAD7C4822
                    SHA-512:F3AB9F393DA18DF2CFC22020627E72AE9E7C7B47DB088AAF0FA773028C96D0E7E3D4127082B59296EECFC9C60D389A43C78BA0A4348B0F6CEB76CC8978BA649C
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 3%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv..Xv..Xv..Dz..Xv..Dx..Xv..~|..Xv..Ge..Xv..Xw..Xv..~}..Xv.P^p..Xv.Rich.Xv.................PE..L......`.................P...P...............`....@.................................F.......................................Td..(...................P....4...........`...............................................`...............................text...0E.......P.................. ..`.rdata.......`.......`..............@..@.data....)...p...0...p..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\winwdgv3.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2208232
                    Entropy (8bit):6.655043465468702
                    Encrypted:false
                    SSDEEP:24576:ZlX1wCmSn/ggkRk9XJ4QkOHE5/H8ZZsjLAAhHoMapx1XyM05g8wWT3Q80I:HRZR5vkIE5P88hAFXyM05IWk8D
                    MD5:0AED8F70A00060F8005EFA8D1C668B98
                    SHA1:C75FE3D1A2476DA55F526D366F73BEDBFD56F32A
                    SHA-256:326ABF1AF467670DE571252BFD8118B9EA0B8A3BABC10DF092FFFC2DA3E11671
                    SHA-512:738F9CBD6F693647D8B091D7192DB8963E2C4ECB179CE1B5C7A81F56045674694FAED7FDF88AF5D7E144149D86DF167D9ADF6460E3905024FAF526C08F7DC787
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r..r..r...y..r..~..r...a..r..r..r.).|..r..x..r..s...r..a..r..y...r.m.t..r.U.v..r.Rich..r.........PE..L.....lc...........!..........................................................".....0."..............................A..........,.....!.P...........h`!..Q... !.(...0...................................................(............................text............................... ..`.rdata..tR.......`..................@..@.data...|....P...@...P..............@....rsrc...P.....!.....................@..@.reloc..2.... !.....................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Windows\System32\winwdgv364.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):1326464
                    Entropy (8bit):6.399945075671774
                    Encrypted:false
                    SSDEEP:24576:YunZ2BYJf0ZF1H+V7o+9Ql7Dm2E6WJ6pFgGJifEozVlFQQr11tO+F2lE4i1d8g1O:FmAf0BH+Vs+9CG2E6WJ6pOGJYFzV7QQO
                    MD5:889482A07BA13FC6E194A63D275A850A
                    SHA1:16A164FDED3352ABB63722A5C74750CDC438F99A
                    SHA-256:799D176813C3D0F5A01FD482576AEAB6A63E5024F3392E7974F5E437C3D7E3A0
                    SHA-512:E5CB9CF49120ED20B07FACEEFCCEF24DA4335F28F49D9AE7BFAFCCBC9A239C4039E9CE5F5D13B49D0BE475B3913311D08B7D70A1A2DF0C974D4C5A5F7BEC507A
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PGI..&'..&'..&'..h...&'.{P...''.{P...&'..^...&'..^...&'..^...&'..&&.M''.{P...&'.{P...&'.4....&'.{P...&'.Rich.&'.........PE..d...-.lc.........." .................x..............................................=.....@..........................................f......<A.......@.......@...........Q...P...8..P................................................................................text............................... ..`.rdata..FW.......X..................@..@.data........p...L...\..............@....pdata.......@......................@..@.rsrc........@......................@..@.reloc...C...P...D..................@..B........................................................................................................................................................................................................................................................

                    C:\Windows\bakoav3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14361064
                    Entropy (8bit):6.500004536427748
                    Encrypted:false
                    SSDEEP:196608:SPDuLJR9PL40/Rau8ik8lqRls5lzrZVlV03gHn4rj/L:vt8MYRlsDppf4rDL
                    MD5:3AE42CB8A028C5BE3F57575342BBB56D
                    SHA1:2939396B9069D4B46FEBC047B13CE2C30DE7E886
                    SHA-256:0E0EFB65F52F8AE90F1227AAFDDB1BD23803229497FC82C5C458C8D6EB83A609
                    SHA-512:F4E5C0FF991FC907049171F8BC0AC763462E081B411547A3B24F7D57B51A73FB2C3D0A8DAF5CCCB0DDD8970ED5C81BAF3A2C8E5B22EB3CCDC672A1E1AA01AE24
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Windows\bakoav3.sys, Author: Joe Security
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........j...9...9...9<..9...9.<.9...9...9...9...9...9...9...9Z..9...9...9...9W..9...9.8.9:..9<..9...9...9...9...9...9.8.9}..9...9...9+>.9...9Rich...9................PE..L...?i.c...........!..........I.....+.e..............................................................................Y...............P.............h....Q..........0...................................................(............................text............................... ..`.rdata...J.......P..................@..@.data.....+..`....$..`..............@....rsrc.......P.......`..............@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................

                    C:\Windows\bakrdgv3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1802728
                    Entropy (8bit):6.520593089987922
                    Encrypted:false
                    SSDEEP:24576:I1iQzjPLwVa0gzIkUeSr18gU9W36RO5TsHKGaXDx0hl:Iz5zISSrqW36I7FXDx0hl
                    MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    SHA1:3E78E87EEFE45F8403E46D94713B6667AEE6D9C9
                    SHA-256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                    SHA-512:693E90DA2581306A1F9BB117142429301C7DC28A8CAF623C4DFC21F735C53C4502E2B58A5EBDBD8C568DFD3393D1687428F1934F4C28B4FC715EB8F856AC02CD
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........................................w......?.....?....3.....Rich...........................PE..L.....lc.................P...................`....@.................................D........................................"..........P...........h0...Q...........i...............................................`...............................text....F.......P.................. ..`.rdata.......`.......`..............@..@.data.......`.......`..............@....rsrc...P............ ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\bakrdlv3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):58640
                    Entropy (8bit):4.987085254759881
                    Encrypted:false
                    SSDEEP:768:aYNaVzGJ6dKwFGeThZF1oGPh4xFn2MpDGNxvTp23+zjo1:aEaVzGvwFGefoGyjcM0o1
                    MD5:0CBEB75D3090054817EA4DF0773AFE35
                    SHA1:58C543A84DC18E21D86AD2C011D8AC726867FB78
                    SHA-256:453E2290939078C070E46896B2D991F31D295BBC1C63059B10F3C24CAD7C4822
                    SHA-512:F3AB9F393DA18DF2CFC22020627E72AE9E7C7B47DB088AAF0FA773028C96D0E7E3D4127082B59296EECFC9C60D389A43C78BA0A4348B0F6CEB76CC8978BA649C
                    Malicious:true
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv..Xv..Xv..Dz..Xv..Dx..Xv..~|..Xv..Ge..Xv..Xw..Xv..~}..Xv.P^p..Xv.Rich.Xv.................PE..L......`.................P...P...............`....@.................................F.......................................Td..(...................P....4...........`...............................................`...............................text...0E.......P.................. ..`.rdata.......`.......`..............@..@.data....)...p...0...p..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\bakstec3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2421224
                    Entropy (8bit):6.490220533880386
                    Encrypted:false
                    SSDEEP:24576:mrmoCH/siu9xQBvJ4TyKyCdgjBXj0jHy3WBZ3cRDusH192mdoEtPg+61zpw94I25:mhxaM+7g+Kzq4I28/1eKle7mLXyn0Lw
                    MD5:B9E0A7CBD7FDB4D179172DBDD453495A
                    SHA1:7F1B18A2BEE7DEFA6DB4900982FD3311AABED50D
                    SHA-256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
                    SHA-512:720985495B67E87F6ECF62268D7DC8FECDB7C06CF9606CE1A12CE4EA741DD3D46A759420E02EC54BC6E96E49D37A2E19AC307093B1228C01914C8E632A8D373C
                    Malicious:true
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\bakwdgv3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2208232
                    Entropy (8bit):6.655043465468702
                    Encrypted:false
                    SSDEEP:24576:ZlX1wCmSn/ggkRk9XJ4QkOHE5/H8ZZsjLAAhHoMapx1XyM05g8wWT3Q80I:HRZR5vkIE5P88hAFXyM05IWk8D
                    MD5:0AED8F70A00060F8005EFA8D1C668B98
                    SHA1:C75FE3D1A2476DA55F526D366F73BEDBFD56F32A
                    SHA-256:326ABF1AF467670DE571252BFD8118B9EA0B8A3BABC10DF092FFFC2DA3E11671
                    SHA-512:738F9CBD6F693647D8B091D7192DB8963E2C4ECB179CE1B5C7A81F56045674694FAED7FDF88AF5D7E144149D86DF167D9ADF6460E3905024FAF526C08F7DC787
                    Malicious:true
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r..r..r...y..r..~..r...a..r..r..r.).|..r..x..r..s...r..a..r..y...r.m.t..r.U.v..r.Rich..r.........PE..L.....lc...........!..........................................................".....0."..............................A..........,.....!.P...........h`!..Q... !.(...0...................................................(............................text............................... ..`.rdata..tR.......`..................@..@.data...|....P...@...P..............@....rsrc...P.....!.....................@..@.reloc..2.... !.....................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Windows\bakwdgv364.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):1326464
                    Entropy (8bit):6.399945075671774
                    Encrypted:false
                    SSDEEP:24576:YunZ2BYJf0ZF1H+V7o+9Ql7Dm2E6WJ6pFgGJifEozVlFQQr11tO+F2lE4i1d8g1O:FmAf0BH+Vs+9CG2E6WJ6pOGJYFzV7QQO
                    MD5:889482A07BA13FC6E194A63D275A850A
                    SHA1:16A164FDED3352ABB63722A5C74750CDC438F99A
                    SHA-256:799D176813C3D0F5A01FD482576AEAB6A63E5024F3392E7974F5E437C3D7E3A0
                    SHA-512:E5CB9CF49120ED20B07FACEEFCCEF24DA4335F28F49D9AE7BFAFCCBC9A239C4039E9CE5F5D13B49D0BE475B3913311D08B7D70A1A2DF0C974D4C5A5F7BEC507A
                    Malicious:true
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PGI..&'..&'..&'..h...&'.{P...''.{P...&'..^...&'..^...&'..^...&'..&&.M''.{P...&'.{P...&'.4....&'.{P...&'.Rich.&'.........PE..d...-.lc.........." .................x..............................................=.....@..........................................f......<A.......@.......@...........Q...P...8..P................................................................................text............................... ..`.rdata..FW.......X..................@..@.data........p...L...\..............@....pdata.......@......................@..@.rsrc........@......................@..@.reloc...C...P...D..................@..B........................................................................................................................................................................................................................................................

                    C:\Windows\win.ini

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:Generic INItialization configuration [extensions]
                    Category:dropped
                    Size (bytes):3443
                    Entropy (8bit):3.782143742362491
                    Encrypted:false
                    SSDEEP:48:ZpccIVf4WAceYI9hmzqcUoeG9CVuHpQrf:ZpccMf89hQUVuHwf
                    MD5:210E4584E9309A18A26DB1D2781B6DCE
                    SHA1:913154C4A494FC34FBBC622C90F392A2AE6532D5
                    SHA-256:4A7721DD7742DDEB91B7477DC7CDFFD13E26FF32EBF064BA996EB27227DD9A58
                    SHA-512:F94B90420D2C6F5F3634860261FE1792460D949FB600ED7CDA3091D363A877D2F36028B443AA5947AB9B8051FE5F4FAEAC28073C1864CFF2FB2CCE907F3F4ECF
                    Malicious:false
                    Preview:; for 16-bit app support..[fonts]..[extensions]..[mci extensions]..[files]..[Mail]..MAPI=1..[ED30_8AC4_11D5_8930_A730]..OUTOFLICENSEEX=010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000..OUTOFLICENSE4=1..OUTOFLICENSE3=1..OUTOFLICENSE2=1..AID=65700..GID=999..SIP=763179097..SIPD=4294967295..SNameSID=4294967295..InstallTime=D2277DD2BC2EE640..SName=..AIDInfo2=000000000000000006000000020000000200000043003A005C00570049004E0044004F0057005300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.998967238875457
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 92.16%
                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:#U8fdd#U89c4#U540d#U5355.exe
                    File size:14'038'624 bytes
                    MD5:5d84e6ed7d8e9b89fae2771d6870393e
                    SHA1:fee5fe80e8cf95156c1129079747729f9ad54cef
                    SHA256:193a19a4d22e3f959cd43b0aa05c11a3793283a27f9af95e8d468693277ef128
                    SHA512:a97e087431345b7098c9c8d2bfa517f2a229b10deb4f1c142495e8a3de78461e40d04bb965534f30d2a67c358a2120e01783517756e4d59df4d6c046f56818c4
                    SSDEEP:196608:wH5YImLyHSWpi627ofHc1fO2y01Hi/eLspPrf085u/AgponDcMWTjiNvGfi8T9jY:wwSSiz/cO/qC/qspD8TaDtefNT9jY
                    TLSH:29E63381D0455CDEF25AA0B7A4C0C19899D55B099B386F6922FBF872F63A6D33783C07
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................`...|......;2.......p....@

                    File Icon

                    Icon Hash:6de86a969696cc6d

                    Static PE Info

                    General

                    Entrypoint:0x40323b
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x52BA66BB [Wed Dec 25 05:01:47 2013 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:59a4a44a250c4cf4f2d9de2b3fe5d95f

                    Entrypoint Preview

                    Instruction
                    sub esp, 00000184h
                    push ebx
                    push ebp
                    push esi
                    xor ebx, ebx
                    push edi
                    mov dword ptr [esp+18h], ebx
                    mov dword ptr [esp+10h], 00409130h
                    mov dword ptr [esp+20h], ebx
                    mov byte ptr [esp+14h], 00000020h
                    call dword ptr [00407034h]
                    push 00008001h
                    call dword ptr [004070B4h]
                    push ebx
                    call dword ptr [0040728Ch]
                    push 00000008h
                    mov dword ptr [0042E478h], eax
                    call 00007F5AC15E1FA2h
                    mov dword ptr [0042E3C4h], eax
                    push ebx
                    lea eax, dword ptr [esp+38h]
                    push 00000160h
                    push eax
                    push ebx
                    push 00428800h
                    call dword ptr [00407164h]
                    push 004091E4h
                    push 0042DBC0h
                    call 00007F5AC15E1C4Ch
                    call dword ptr [004070B0h]
                    mov ebp, 00434000h
                    push eax
                    push ebp
                    call 00007F5AC15E1C3Ah
                    push ebx
                    call dword ptr [00407118h]
                    cmp byte ptr [00434000h], 00000022h
                    mov dword ptr [0042E3C0h], eax
                    mov eax, ebp
                    jne 00007F5AC15DF1FCh
                    mov byte ptr [esp+14h], 00000022h
                    mov eax, 00434001h
                    push dword ptr [esp+14h]
                    push eax
                    call 00007F5AC15E16CAh
                    push eax
                    call dword ptr [00407220h]
                    mov dword ptr [esp+1Ch], eax
                    jmp 00007F5AC15DF2B5h
                    cmp cl, 00000020h
                    jne 00007F5AC15DF1F8h
                    inc eax
                    cmp byte ptr [eax], 00000020h
                    je 00007F5AC15DF1ECh

                    Rich Headers

                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000xbb90.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x5f520x60004a17c912e054bd7e689058c6e023d24bFalse0.6734212239583334data6.482844752733138IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x70000x12da0x14000c7782eb506f624e867e0814d74757b0False0.438671875data5.098239122979059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x90000x254b80x400b0a8c6c425968dda759cc449cbca4651False0.6416015625data5.095969613313189IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .ndata0x2f0000x80000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x370000xbb900xbc00c63d58071faf4726f9cfe8ad6e0476feFalse0.15452543218085107data3.5948245523656785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0x372980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.06654463863958432
                    RT_ICON0x3b4c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.08952282157676349
                    RT_ICON0x3da680x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 0EnglishUnited States0.11257396449704142
                    RT_ICON0x3f4d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.13836772983114445
                    RT_ICON0x405780xe78PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8917386609071274
                    RT_ICON0x413f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.1930327868852459
                    RT_ICON0x41d780x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 0EnglishUnited States0.22209302325581395
                    RT_ICON0x424300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.2925531914893617
                    RT_DIALOG0x428980x100dataEnglishUnited States0.5234375
                    RT_DIALOG0x429980x11cdataEnglishUnited States0.6056338028169014
                    RT_DIALOG0x42ab80x60dataEnglishUnited States0.7291666666666666
                    RT_GROUP_ICON0x42b180x76dataEnglishUnited States0.7542372881355932

                    Imports

                    DLLImport
                    KERNEL32.dllGetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
                    USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                    SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                    ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                    ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 18, 2024 03:37:05.278490067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:05.283536911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:05.283641100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:06.359293938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:06.366071939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:06.371007919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:06.746124029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:06.768487930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:06.773541927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:07.148797989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:07.150108099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:07.155150890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:07.529858112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:07.584635019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:07.644191027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:07.649522066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:08.042320967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:08.077157974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:08.082220078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:08.456945896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:08.506551981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:09.634727001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:09.639755011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:10.024750948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:10.024960041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:10.029961109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:10.410840988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:10.459615946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:10.917733908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:10.925514936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.287419081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.287446976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.287461042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.287528992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.288949966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.289226055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.291697979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.292181969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.292206049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.292373896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295030117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295137882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295181036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295211077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295238972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295249939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295304060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295555115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295578003 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295618057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295639038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295661926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295810938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295844078 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.296035051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.296138048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.300662041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.302443027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302443027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302645922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302679062 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302773952 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302819014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303005934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303006887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303042889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303117990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303164005 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303179979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303206921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308069944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308080912 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308115005 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308269978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308521986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308794975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308831930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308855057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.311820984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312299013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312320948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312345982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312376022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312506914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312525988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312585115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312695980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312695980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312720060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.313077927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313095093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313105106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313114882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313124895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313134909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313143969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313153982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313163042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313173056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313182116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313190937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313200951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313210011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313219070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313230038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.317986965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.318006992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.318017960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.318027973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.322753906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.322774887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.322783947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.387039900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387168884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387182951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387203932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387223959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387247086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387260914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387276888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387295008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387588024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387612104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387653112 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387670040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.392263889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.397552967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.402308941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.414351940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.414423943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417670012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417702913 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417722940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417752981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417774916 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417843103 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417859077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417903900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417922974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417949915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417968988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.418071985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.418108940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.419523001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.420613050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.420631886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.422470093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.425954103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.425978899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.431122065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.443996906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.444017887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.449486017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.453449965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.465092897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.465107918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.465118885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.465162039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.479950905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.480042934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.480060101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.480084896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.480112076 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.481462955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.482841969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.482986927 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483011007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483047962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483076096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483094931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483119965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483143091 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483165979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485728979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485841990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485924006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485949993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485970020 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485990047 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486008883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486028910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486078978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486078978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486097097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486361980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486387014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486407042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486424923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486449957 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486470938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486490011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486506939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486527920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486546040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486577034 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486603022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486603022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486623049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486638069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.492197990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.492223024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.492234945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.501454115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.501472950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.501485109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.501494884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.549021959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.691231012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.691543102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.691679001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.743082047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.743097067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.892035961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.892266989 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.897444963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.945343018 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.945393085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968401909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968445063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968471050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968491077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968514919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968533039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968553066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968579054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968604088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968622923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.025002003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025017977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025027990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025038004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025048018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025058031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025067091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025077105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025087118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025095940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025105953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025115967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.380594015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.380934954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.385885000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.545429945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.545599937 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.546113014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.549216986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.550582886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.551870108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.555476904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.558481932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.558612108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.560281992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.565007925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.613100052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.613121986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.764306068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.764921904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.764964104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.770108938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.775090933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.979245901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.983516932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.989757061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.993666887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.995651007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.998806000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.003753901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.149874926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.150269032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:13.155209064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.314821959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.339724064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:13.344708920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.504292011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.505136013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:13.510267973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.776370049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.776567936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:13.781619072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.941169977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.990855932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.067471027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.072570086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.073996067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.078867912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.244847059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.245042086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.250107050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.447258949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.447984934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.453756094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.613769054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.614041090 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.619627953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.779280901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.779472113 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.784430981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.944638968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.977843046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.982886076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.142642021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.143282890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.143316031 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.148272038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.153362036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.359584093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.360138893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.365019083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.524574995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.524749994 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.529685974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.690175056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.702346087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.707276106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.866808891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.870578051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.875556946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.135344028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.135514975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.140590906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.320234060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.344849110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.350172997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.512273073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.512733936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.518316984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.677437067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.677620888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.682708979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.843175888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.843450069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.848467112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.010160923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.031755924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.129153967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.225904942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.226527929 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.226552010 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.231502056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.236352921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.385118008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.385330915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.390245914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.550234079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.550918102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.555763006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.777441025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.808137894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.813121080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.991648912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.995254993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.000138044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.159816027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.160142899 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.166115999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.326425076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.359862089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.403467894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.538918018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.539607048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.545681953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.716161013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.717942953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.723069906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.891664028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.907907009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.913414955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.074215889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.115847111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.252657890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.260174036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.275053024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.275275946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.324183941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.420330048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.420892000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.425951958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.636229992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.641935110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.648154020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.928143978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.928986073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.929212093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.936162949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.941447020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.108283043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.133142948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:20.138329983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.410645008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.410939932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:20.426959038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.593427896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.594007015 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:20.598854065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.876216888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.876502991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:20.881562948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.070586920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.115885973 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.137847900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.142796040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.348531008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.348814011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.353705883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.532485962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.533081055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.538028955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.848481894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.848750114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.853637934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.013170958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.047861099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:22.052896023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.319318056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.319554090 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:22.372447014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.519011974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.519629955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:22.524535894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.230984926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.231219053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:23.236180067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.264326096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:23.269260883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.714291096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.714504004 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:23.719367027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.882122993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.882626057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:23.889684916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.193114996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.193317890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:24.198386908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.358377934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.369915009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:24.375588894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.685920954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.686104059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:24.691081047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.851021051 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.858778954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:24.864084959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.165911913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.166070938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:25.170957088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.331012011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.341296911 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:25.346347094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.638365984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.638607025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:25.643551111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.848463058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.897197962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:26.034986019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:26.040436029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.166394949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.166568041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:26.171536922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.414390087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.459670067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:26.709628105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.756608009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:27.453905106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:27.453959942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:27.458939075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:27.509066105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:27.832303047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:27.832832098 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:27.837733984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.534152985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.534354925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:28.540172100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.546096087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:28.552052021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.994052887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.994317055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:28.999289989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:29.178587914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:29.179069042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:29.184124947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:29.488919020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:29.489108086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:29.494565964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.116305113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.127342939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:30.127371073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:30.133512020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.139650106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.638873100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.641634941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:30.646661043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.199534893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.199759007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:31.205269098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.213839054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:31.219110012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.688288927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.688608885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:31.693591118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.865082979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.865729094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:31.870784044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:32.167790890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:32.170348883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:32.175287008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:32.334903002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:32.351113081 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:32.356354952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.065222979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.065615892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:33.065891027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:33.070636034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.075460911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.542699099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.545788050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:33.552087069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.711558104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.721713066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:33.728302002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.019174099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.019469023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:34.024549007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.189419031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.189910889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:34.194847107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.494828939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.495084047 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:34.500216961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.725738049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.742110968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:34.748009920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.031747103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.032006025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:35.042831898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.213824034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.214514017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:35.235877037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.539541006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.539848089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:35.553467989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.745073080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.782215118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:35.796364069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.187927961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.188930988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:36.194010019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.570549965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.590653896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:36.595670938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.971560001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.972362995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:36.977257967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:37.353482008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:37.380800962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:37.385759115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:37.774509907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:37.775473118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:37.837924957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.160212040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.174365997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:38.179399967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.554824114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.555707932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:38.560770988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.934386015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.945976019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:38.950928926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:39.326302052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:39.327116966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:39.332094908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:39.693945885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:39.708509922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:39.713589907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.089027882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.089786053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:40.094711065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.469945908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.479935884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:40.485001087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.856939077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.857593060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:40.862596035 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:41.239602089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:41.251657009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:41.258239985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:41.631141901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:41.631762028 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:41.636698008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.012559891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.028599024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:42.033771992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.409756899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.410257101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:42.415235996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.791204929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.801913023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:42.806971073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:43.180634975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:43.181277037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:43.217103004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:43.561656952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:43.615853071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:43.637593985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:43.668533087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.043843985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.044425964 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.049304008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.203213930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.203677893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.208596945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.425045013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.451838017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.456995010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.729732037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.735308886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.740292072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.852602005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.853269100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.862160921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.115168095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.116520882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.121442080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.334151983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.369601965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.396338940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.547012091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.548188925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.548278093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.551696062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.551708937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.551776886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.755908012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.757164001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.757236958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.760229111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.763360977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.763437986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.971749067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.972767115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.972884893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.975317001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.977869987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.977945089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.980451107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.980464935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.980534077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.187221050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.188318014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.188369036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.190880060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.193464994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.193478107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.193489075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.193514109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.193552017 CEST497118237192.168.2.11